As you might have seen, the new release 1.20.1 of GNU Wget addresses CVE-2018-20483 [1]. The issue is that since 1.19 Wget stores the URL and in certain cases the ‘Referer’ URL within extended attributes (xattrs) of the file system – by default.

Wget developer Tim Rühsen