SSRF via Unvalidated FTP PASV IP in GNU Wget <1.25.0
CVE-2026-15146 Published on July 10, 2026
CVE-2026-15146
GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wgets data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.
Vulnerability Analysis
CVE-2026-15146 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Products Associated with CVE-2026-15146
Want to know whenever a new CVE is published for GNU Wget? stack.watch will email you.
Affected Versions
GNU wget Wget:- Before and including 1.25.0 before commit 4f85853f641863d5915786a8413e1a213726a62b is affected.