CVE-2026-58472 GNU Wget vulnerability
GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.
Quick answer
GNU Wget should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- GNU Wget through 1.25.0
Fixed versions
- commit dd692d9cea5335b181d877ae917fe6e75587a812
How to fix it
CVE-2026-58472 affects GNU Wget through version 1.25.0 in html_quote_string() in src/convert.c. A malicious or compromised server can trigger heap buffer overflow from crafted HTML attributes requiring extensive entity encoding, so systems that use Wget in automated fetch, mirroring, build, or deployment jobs should be prioritized. The upstream fix is commit dd692d9cea5335b181d877ae917fe6e75587a812; apply a vendor package that includes that patch, a distro backport, or a locally rebuilt Wget package containing the commit. Until a patched package is deployed, reduce use of affected Wget workflows against untrusted servers, especially HTML conversion or recursive mirroring against untrusted servers.
- Inventory GNU Wget installations on servers, containers, CI runners, deployment images, cron jobs, backup scripts, and developer workstations.
- Identify Wget versions through package metadata and `wget --version`, and treat versions through 1.25.0 as affected unless the vendor package clearly backports the relevant fix.
- Update GNU Wget to a vendor-supported patched package or backport the upstream fix commit dd692d9cea5335b181d877ae917fe6e75587a812.
- Reduce exposure to HTML conversion or recursive mirroring against untrusted servers until patched, and avoid using vulnerable Wget against untrusted or user-controlled URLs.
- Run high-risk download automation in a restricted container or sandbox with minimal credentials, filesystem access, and outbound reachability.
- Review recent download logs, CI artifacts, mirrors, and fetched files for unexpected servers, crafted headers, malformed Metalink data, or abnormal Wget crashes.
- Rebuild base images and redeploy automation hosts so patched Wget is used consistently by scripts, package mirrors, and scheduled jobs.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm package changelogs or source history include CVE-2026-58472 or upstream commit dd692d9cea5335b181d877ae917fe6e75587a812.
- Confirm `wget --version` and package manager output show the patched vendor build on every affected host and container image.
- Rerun OS package, container, and dependency scans to confirm vulnerable Wget builds are no longer reported.
- Retest affected download, mirroring, resume, conversion, or Metalink workflows against trusted fixtures and confirm they complete without crashes or unsafe parsing behavior.
- Document patched package versions, rebuilt images, compensating controls, and scan evidence for change tracking.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-58472?
GNU Wget versions listed as affected should be reviewed: GNU Wget through 1.25.0.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
