PatchSiren cyber security CVE debrief
CVE-2026-15146 GNU wget CVE debrief
GNU Wget is affected by a vulnerability that allows for server-side request forgery (SSRF) attacks when operating in FTP passive mode. The vulnerability is caused by Wget not validating the IP address provided by an FTP PASV response. This allows a malicious FTP server or an HTTP server that redirects to an FTP URL to redirect Wget's data connection to an arbitrary IP address and port. The impact of this vulnerability is that an attacker could potentially access localhost services or internal network resources from the machine running Wget. Users of GNU Wget, especially those operating in FTP passive mode, should verify their configurations and consider updating to a version that validates IP addresses from FTP PASV responses.
- Vendor
- GNU wget
- Product
- Wget
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of GNU Wget, especially those operating in FTP passive mode, should verify their configurations and consider updating to a version that validates IP addresses from FTP PASV responses. This includes administrators and security teams responsible for managing and securing systems that use GNU Wget. Additionally, operators and platform administrators may need to review and update their configurations to mitigate the vulnerability.
Technical summary
GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget's data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources. The affected product is GNU Wget, and the vulnerability is related to its handling of FTP PASV responses.
Defensive priority
Medium priority due to the CVSS score of 5.9 and potential for SSRF attacks.
Recommended defensive actions
- Verify and update GNU Wget to a version that validates IP addresses from FTP PASV responses
- Review and restrict FTP and HTTP access to trusted sources
- Monitor for suspicious activity related to Wget usage
- Implement additional security measures for internal network resources
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record and NVD detail provide information about the vulnerability in GNU Wget. However, further analysis is needed to fully understand the impact and affected scope. The vulnerability allows for server-side request forgery (SSRF) attacks by redirecting Wget's data connection to an arbitrary IP address and port. This could potentially allow attackers to access localhost services or internal network resources. Evidence from the CVE record and NVD detail should be verified, and additional information from other sources may be necessary to fully assess the vulnerability.
Official resources
-
CVE-2026-15146 CVE record
CVE.org
-
CVE-2026-15146 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:20.307Z and has not been modified since then.