GNU Wget
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in GNU Wget.
By the Year
In 2026 there have been 0 vulnerabilities in GNU Wget. Wget did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 2 | 9.10 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 6.10 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 9.80 |
| 2018 | 2 | 6.50 |
It may take a day or so for new Wget vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent GNU Wget Security Vulnerabilities
Wget Arbitrary Host Access Vulnerability via Shorthand URL Credential Injection
CVE-2024-10524
- November 19, 2024
Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.
SSRF
GNU Wget <=1.24.5 URL.C Userinfo Semicolon Misinterpretation
CVE-2024-38428
9.1 - Critical
- June 16, 2024
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.
Interpretation Conflict
GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin
CVE-2021-31879
6.1 - Medium
- April 29, 2021
GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.
Open Redirect
Buffer overflow in GNU Wget 1.20.1 and earlier
CVE-2019-5953
9.8 - Critical
- May 17, 2019
Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code via unspecified vectors.
Memory Corruption
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which
CVE-2018-20483
- December 26, 2018
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.
GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c
CVE-2018-0494
6.5 - Medium
- May 06, 2018
GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line.
Improper Input Validation
GNU wget before 1.18
CVE-2016-4971
8.8 - High
- June 30, 2016
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.
CVE-1999-0402
- January 02, 1999
wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.
