PatchSiren

gnuwget CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM gnuwget CVE published 2026-07-07

CVE-2026-58471

CVE-2026-58471 is a heap buffer overflow vulnerability in GNU Wget through 1.25.0. The vulnerability exists in the convert_fname() function within src/url.c and allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining spa [truncated]

MEDIUM gnuwget CVE published 2026-07-07

CVE-2026-58470

CVE-2026-58470 is an integer overflow vulnerability in GNU Wget through 1.25.0. The vulnerability exists in the parse_content_range() function within src/http.c. It allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.

HIGH gnuwget CVE published 2026-07-07

CVE-2026-58469

CVE-2026-58469 is a heap buffer underread vulnerability in GNU Wget through 1.25.0. The vulnerability exists in the clean_metalink_string() function within src/metalink.c. A malicious server can trigger memory corruption by serving a Metalink document containing a whitespace-only URL. This can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink [truncated]