JLSEC-2026-119 Medium 6.5

Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary...

JLSEC Published: Apr 15, 2026
Modified: Apr 15, 2026
Severity: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Affected Packages: wget_jll < 1.25.0+0
Aliases / Upstream: CVE-2024-10524 GHSA-mqrm-h2pw-9j9r EUVD-2024-33431

Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host.

References

https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778
https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/
https://seclists.org/oss-sec/2024/q4/107
http://www.openwall.com/lists/oss-security/2024/11/18/6
https://security.netapp.com/advisory/ntap-20250321-0007/
https://nvd.nist.gov/vuln/detail/CVE-2024-10524
https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability
https://security.netapp.com/advisory/ntap-20250321-0007
https://github.com/advisories/GHSA-mqrm-h2pw-9j9r