GNU Wget before 1.18 when supplied with a malicious URL (to a malicious or compromised web server) can be tricked into saving an arbitrary remote file supplied by an attacker, with arbitrary contents and filename under the current directory and possibly other directories by writing to .wgetrc. Depending on the context in which wget is used, this can lead to remote code execution and even root privilege escalation if wget is run via a root cronjob as is often the case in many web application deployments.

Full advisory and exploit at:

http://legalhackers.com/advisories/Wget-Arbitrary-File-Uploa...

Regards, Dawid Golunski