CVE-2026-15146
CVE-2026-15146
CVSS Score
5.9
EPSS Score
0.1%
EPSS Percentile
2th
GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wgetโs data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.
| Vendor | gnu wget |
| Product | wget |
| Published | Jul 10, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for gnu wget wget
Be the first to know when new medium vulnerabilities affecting gnu wget wget are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
GNU wget / Wget
0 < 1.25.0+4f85853f64