Vulnerability Details CVE-2026-58469
GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 27.2%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-58469
-
-
-
cpe:2.3:a:gnu:wget:1.10.1
-
cpe:2.3:a:gnu:wget:1.10.2
-
-
cpe:2.3:a:gnu:wget:1.11.1
-
cpe:2.3:a:gnu:wget:1.11.2
-
cpe:2.3:a:gnu:wget:1.11.3
-
cpe:2.3:a:gnu:wget:1.11.4
-
cpe:2.3:a:gnu:wget:1.11.4-1
-
-
-
cpe:2.3:a:gnu:wget:1.13.1
-
cpe:2.3:a:gnu:wget:1.13.3
-
cpe:2.3:a:gnu:wget:1.13.4
-
-
-
-
cpe:2.3:a:gnu:wget:1.16.1
-
cpe:2.3:a:gnu:wget:1.16.2
-
cpe:2.3:a:gnu:wget:1.16.3
-
-
cpe:2.3:a:gnu:wget:1.17.1
-
-
-
cpe:2.3:a:gnu:wget:1.19.1
-
cpe:2.3:a:gnu:wget:1.19.2
-
cpe:2.3:a:gnu:wget:1.19.3
-
cpe:2.3:a:gnu:wget:1.19.4
-
cpe:2.3:a:gnu:wget:1.19.5
-
-
cpe:2.3:a:gnu:wget:1.20.1
-
-
-
-
-
-
-
-
-
-
-
-
-
-