CVE-2025-69195 HIGH

CVE-2025-69195: Wget2: gnu wget2: memory corruption and crash via filename sanitization logic with attacker-controlled urls

Weakness CWE-121
Published January 9, 2026
Last update February 26, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

What the vulnerability does

01Description

A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities.

Key dates

02Disclosure timeline

January 9, 2026 CVE published
February 26, 2026 Record updated