Updated: 2026-02-27 02:52:42.159943
Description:
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | CRITICAL | 9.1 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | wget | 1.21.1 | 9.1 | CRITICAL | Released | CLSA-2024:1725898066 | 2024-09-09 12:21:08 | |
| Alpine Linux 3.18 ELS | wget | 1.21.4 | 9.1 | CRITICAL | Released | CLSA-2025:1760989666 | 2025-10-20 21:31:02 | |
| CentOS 6 ELS | wget | 1.12 | 9.1 | CRITICAL | Released | CLSA-2025:1756409922 | 2025-09-05 19:42:45 | |
| CentOS 7 ELS | wget | 1.14 | 9.1 | CRITICAL | Released | CLSA-2024:1723796201 | 2024-08-30 14:30:24 | |
| CentOS 8.4 ELS | wget | 1.19.5 | 9.1 | CRITICAL | Released | CLSA-2024:1723826300 | 2024-08-16 14:31:19 | |
| CentOS 8.5 ELS | wget | 1.19.5 | 9.1 | CRITICAL | Released | CLSA-2024:1723795173 | 2024-08-16 05:32:43 | |
| CentOS Stream 8 ELS | wget | 1.19.5 | 9.1 | CRITICAL | Released | CLSA-2024:1723794812 | 2024-08-16 05:32:40 | |
| CloudLinux 6 ELS | wget | 1.12 | 9.1 | CRITICAL | Ignored | 2025-08-29 11:05:15 | ||
| CloudLinux 7 ELS | wget | 1.14 | 9.1 | CRITICAL | Released | CLSA-2024:1724061730 | 2024-08-30 14:26:32 | |
| Debian 10 ELS | wget | 1.20.1 | 9.1 | CRITICAL | Released | CLSA-2025:1762783856 | 2025-11-10 16:33:53 |