๐Ÿ” CVE Alert

CVE-2026-15146

MEDIUM 5.9

CVE-2026-15146

CVSS Score
5.9
EPSS Score
0.1%
EPSS Percentile
2th

GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wgetโ€™s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.

Vendor gnu wget
Product wget
Published Jul 10, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for gnu wget wget

Be the first to know when new medium vulnerabilities affecting gnu wget wget are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

GNU wget / Wget
0 < 1.25.0+4f85853f64

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
cgit.git.savannah.gnu.org: https://cgit.git.savannah.gnu.org/cgit/wget.git/commit/?id=4f85853f641863d5915786a8413e1a213726a62b kb.cert.org: https://kb.cert.org/vuls/id/564823 kb.cert.org: https://www.kb.cert.org/vuls/id/564823