PT-2026-57263 · Gnu · Wget

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-15146

CVSS v3.1

5.9

Medium

VectorAV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions GNU Wget versions prior to 1.25.1
Description GNU Wget fails to validate the IP address provided by an FTP PASV response when operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect the data connection to an arbitrary IP address and port. This leads to Server-Side Request Forgery (SSRF), a technique where an attacker induces a server-side application to make requests to an unintended location, potentially allowing access to localhost services or internal network resources.
Recommendations Update GNU Wget to the latest patched version. Implement robust egress filtering and network segmentation to limit the potential impact of the issue.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-15146

Affected Products

Wget