PT-2026-57263 · Gnu · Wget
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-15146
CVSS v3.1
5.9
Medium
| Vector | AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
GNU Wget versions prior to 1.25.1
Description
GNU Wget fails to validate the IP address provided by an FTP PASV response when operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect the data connection to an arbitrary IP address and port. This leads to Server-Side Request Forgery (SSRF), a technique where an attacker induces a server-side application to make requests to an unintended location, potentially allowing access to localhost services or internal network resources.
Recommendations
Update GNU Wget to the latest patched version.
Implement robust egress filtering and network segmentation to limit the potential impact of the issue.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wget