CVE-2025-69194

EUVD-2026-1781
A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Affected Products (NVD)
VendorProductVersion
gnuwget2
𝑥
< 2.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
wget2
bookworm
no-dsa
bullseye
postponed
forky
2.2.0+ds-3
fixed
sid
2.2.0+ds-3
fixed
trixie
2.2.0+ds-1+deb13u1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
wget
Azure Linux 3.0
0:2.1.0-7.azl3
fixed