Skip to main content

GNU Wget CVE-2026-15146

| EUVDEUVD-2026-42980 MEDIUM
2026-07-10 certcc GHSA-77jw-q7w3-q2hw
5.9
CVSS 3.1 · Vendor: certcc
Share

Severity by source

Vendor (certcc) PRIMARY
5.9 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
6.5 MEDIUM

AV:N because the attack originates from a remote server Wget connects to; no confidentiality, integrity, or availability impact beyond the SSRF data interaction itself.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (certcc).

CVSS VectorVendor: certcc

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Jul 10, 2026 - 22:06 vuln.today
CVSS changed
Jul 10, 2026 - 20:22 NVD
5.9 (None) 5.9 (MEDIUM)
CVE Published
Jul 10, 2026 - 18:20 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.

AnalysisAI

GNU Wget's FTP passive mode implementation fails to validate the IP address returned in a server's PASV response, enabling a malicious FTP server - or any HTTP server issuing a redirect to an ftp:// URL - to redirect Wget's data connection to an arbitrary internal IP address and port. All Wget releases through 1.25.0 (prior to upstream commit 4f85853) are affected, exposing any host running Wget to server-side request forgery (SSRF) that can probe or interact with localhost services and internal network resources. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control or compromise FTP server target fetches from
Delivery
Wget initiates FTP passive mode connection
Exploit
Inject crafted PASV response with internal IP:port
Execution
Wget opens data connection to internal target
Impact
Read or write to internal service as SSRF

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim machine is running GNU Wget version 1.25.0 or earlier and is fetching content either directly from an attacker-controlled FTP server in passive mode (the Wget default), or following an HTTP 301/302 redirect from any HTTP/HTTPS URL to an attacker-controlled ftp:// URL. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-supplied CVSS base vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, score 5.9) contains a critical inconsistency: AV:L (Local attack vector) requires the attacker to have local access to the vulnerable system, yet the vulnerability description unambiguously describes an attack originating from a remote FTP server that the Wget client connects to over the network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sets up a malicious FTP server (or configures a web server to return a 302 redirect to ftp://attacker-server/) that a CI/CD pipeline or cron job uses Wget to fetch from. When Wget enters passive mode, the attacker's server returns a crafted PASV 227 response specifying 169.254.169.254:80 (the AWS/GCP/Azure Instance Metadata Service) as the data connection endpoint. …
Remediation Apply the upstream fix by building or installing a version of Wget that includes commit 4f85853f641863d5915786a8413e1a213726a62b from the Savannah repository (https://cgit.git.savannah.gnu.org/cgit/wget.git/commit/?id=4f85853f641863d5915786a8413e1a213726a62b); no formally tagged release version (e.g., 1.26.0) has been independently confirmed at time of analysis, so monitor the upstream project and distribution channels for a tagged release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wget

View all
CVE-2014-4877 CRITICAL POC
9.3 Oct 29

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to w

CVE-2016-4971 HIGH POC
8.8 Jun 30

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted F

CVE-2017-13089 HIGH
8.8 Oct 27

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. Rated high sev

CVE-2016-7098 HIGH POC
8.1 Sep 26

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow

CVE-2018-20483 HIGH POC
7.8 Dec 26

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata at

CVE-2017-13090 HIGH
8.8 Oct 27

The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerab

CVE-2018-0494 MEDIUM POC
6.5 May 06

GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequen

CVE-2017-6508 MEDIUM POC
6.1 Mar 07

CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject

CVE-2019-5953 CRITICAL
9.8 May 17

Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute

CVE-2024-38428 CRITICAL
9.1 Jun 16

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be inse

CVE-2026-58469 HIGH
8.7 Jul 07

Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving

CVE-2026-58470 MEDIUM
6.9 Jul 07

Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sess

Share

CVE-2026-15146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy