Untriaged
Permalink
CVE-2026-15146
5.9 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
CVE-2026-15146
GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.
References
Affected products
Wget
- =<1.25.0 before commit 4f85853f641863d5915786a8413e1a213726a62b
Matching in nixpkgs
pkgs.wget
Tool for retrieving files using HTTP, HTTPS, and FTP
pkgs.wget2
Successor of GNU Wget, a file and recursive website downloader
pkgs.wgetpaste
Command-line interface to various pastebins
pkgs.python313Packages.wget
Pure python download utility
Package maintainers
-
@prusnak Pavol Rusnak <pavol@rusnak.io>
-
@fpletz Franz Pletz <fpletz@fnordicwalking.de>
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
-
@qknight Joachim Schiele <js@lastlog.de>