Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged
Permalink CVE-2026-15146
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 3 days, 22 hours ago Activity log
  • Created suggestion
CVE-2026-15146

GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.

Affected products

Wget
  • =<1.25.0 before commit 4f85853f641863d5915786a8413e1a213726a62b

Matching in nixpkgs

pkgs.wget

Tool for retrieving files using HTTP, HTTPS, and FTP

pkgs.wget2

Successor of GNU Wget, a file and recursive website downloader

pkgs.wgetpaste

Command-line interface to various pastebins

  • nixos-unstable 2.34
    • nixpkgs-unstable 2.34
    • nixos-unstable-small 2.34
  • nixos-26.05 2.34
    • nixos-26.05-small 2.34
    • nixpkgs-26.05-darwin 2.34

Package maintainers