Security Flaw in GNU Wget's FTP Passive Mode Implementation
CVE-2026-15146

5.9MEDIUM

Key Information:

Vendor

Gnu Wget

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-15146?

The security issue in GNU Wget resides in its failure to properly validate the IP address received from an FTP PASV response when operating in passive mode. This oversight enables a malicious FTP or HTTP server that redirects to FTP to manipulate Wget’s data connection, potentially sending it to harmful IP addresses. This behavior can be exploited to perform server-side request forgery (SSRF), which may expose sensitive services running on localhost or internal network resources to unauthorized access.

Affected Version(s)

Wget 0 <= 1.25.0 before commit 4f85853f641863d5915786a8413e1a213726a62b

References

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.