Security Flaw in GNU Wget's FTP Passive Mode Implementation
CVE-2026-15146
5.9MEDIUM
What is CVE-2026-15146?
The security issue in GNU Wget resides in its failure to properly validate the IP address received from an FTP PASV response when operating in passive mode. This oversight enables a malicious FTP or HTTP server that redirects to FTP to manipulate Wget’s data connection, potentially sending it to harmful IP addresses. This behavior can be exploited to perform server-side request forgery (SSRF), which may expose sensitive services running on localhost or internal network resources to unauthorized access.
Affected Version(s)
Wget 0 <= 1.25.0 before commit 4f85853f641863d5915786a8413e1a213726a62b
