PatchSiren

GNU wget CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM GNU wget CVE published 2026-07-10

CVE-2026-15146

GNU Wget is affected by a vulnerability that allows for server-side request forgery (SSRF) attacks when operating in FTP passive mode. The vulnerability is caused by Wget not validating the IP address provided by an FTP PASV response. This allows a malicious FTP server or an HTTP server that redirects to an FTP URL to redirect Wget's data connection to an arbitrary IP address and port. The impact of this [truncated]