Every CVE whose affected-product data names Gnu Wget, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (19)
CVE-2019-5953 — CVSS 9.8 (critical): Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute an arbitrary code…
CVE-2014-4877 — CVSS 9.3 (critical): Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary…
CVE-2024-38428 — CVSS 9.1 (critical): url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in…
CVE-2016-4971 — CVSS 8.8 (high): GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
CVE-2017-13089 — CVSS 8.8 (high): The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked…
CVE-2017-13090 — CVSS 8.8 (high): The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the…
CVE-2016-7098 — CVSS 8.1 (high): Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to…
CVE-2018-20483 — CVSS 7.8 (high): set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the…
CVE-2009-3490 — CVSS 6.8 (medium): GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which…
CVE-2010-2252 — CVSS 6.8 (medium): GNU Wget 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download…
CVE-2018-0494 — CVSS 6.5 (medium): GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a…
CVE-2017-6508 — CVSS 6.1 (medium): CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP…
CVE-2021-31879 — CVSS 6.1 (medium): GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.
CVE-2006-6719 — CVSS 5.0 (medium): The ftp_syst function in ftp-basic.c in Free Software Foundation (FSF) GNU wget 1.10.2 allows remote attackers to cause a denial of service…
CVE-2004-1488 — CVSS 5.0 (medium): wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote…
CVE-1999-0402 — CVSS 5.0 (medium): wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.
CVE-2002-1344 — CVSS 5.0 (medium): Directory traversal vulnerability in wget before 1.8.2-4 allows a remote FTP server to create or overwrite files as the wget user via…
CVE-2004-1487 — CVSS 5.0 (medium): wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite certain files via a redirection URL containing a ".." that resolves…
CVE-2004-2014 — CVSS 2.6 (low): Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded.