CVE-2025-69195

HIGH7.6

Wget2: gnu wget2: memory corruption and crash via filename sanitization logic with attacker-controlled urls

Published Jan 9, 2026

Modified 4 days ago

No fix available

Details

A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities.

References

WEBhttps://access.redhat.com/security/cve/CVE-2025-69195 WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2425770 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-69195

CVSS Analysis

CVSS v3.1

7.6

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

RequiredUI:R

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

HighA:H

7.6/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Weakness Type (CWE)

Other

CWE-121

Ecosystems

Timeline

PublishedJan 9, 2026

ModifiedJan 10, 2026