JLSEC-2026-120 — Vulnetix

JLSEC-2026-120 PUBLISHED

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.

Affected Products

Vendor	Product	Versions
Julia	wget_jll	0, 0

Timeline

Apr 15, 2026 CVE Published
Apr 15, 2026 CVE Updated

References

https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace url
https://lists.gnu.org/archive/html/bug-wget/2024-06/msg00005.html url
https://lists.debian.org/debian-lts-announce/2025/04/msg00029.html url
https://security.netapp.com/advisory/ntap-20241115-0005/ url

Open in Interactive Console →