CVE-2026-58471
GNU Wget up to 1.25.0 contains a heap buffer overflow in convert_fname() (src/url.c) that can be triggered by a server-supplied filename requiring character set conversion. When the output buffer is too small and iconv E2BIG reallocates, the remaining space is miscalculated, allowing memory corru...