CVE-2026-15146 in Wgetinfo

Summary

by MITRE • 07/10/2026

GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability exists in GNU Wget when operating in FTP passive mode where the client expects the server to provide a valid IP address in the PASV response for establishing data connections. The flaw stems from insufficient validation of the IP address provided by the FTP server during the passive connection establishment process. When Wget receives a PASV response containing an IP address, it directly uses this address without verifying its legitimacy or ensuring it matches the expected server address. This behavior creates a critical security gap that allows malicious actors to manipulate the FTP server response to redirect subsequent data connections to arbitrary IP addresses and ports.

The technical implementation of this vulnerability aligns with CWE-20, which describes improper input validation, specifically in the context of network protocol handling. When an attacker controls an FTP server or can intercept HTTP redirects to FTP URLs, they can craft malicious PASV responses that contain spoofed IP addresses. This allows for server-side request forgery attacks where Wget acts as an unwitting proxy for the attacker's requests, potentially accessing internal services that would normally be protected by network segmentation. The vulnerability is particularly dangerous because it operates at the protocol level where Wget trusts the server response without proper verification mechanisms.

The operational impact of this vulnerability extends beyond simple data theft or unauthorized access. An attacker could leverage this weakness to perform reconnaissance on localhost services, access internal network resources that are not directly exposed to the internet, or even conduct more sophisticated attacks such as port scanning or service exploitation. The attack surface is broad since Wget is commonly used in automated environments, build systems, and security tools where it may run with elevated privileges or access to sensitive network resources. This vulnerability particularly affects systems that use Wget for downloading content from untrusted sources, making it a significant concern for organizations with robust internal network security policies.

Mitigation strategies should focus on implementing proper IP address validation in the FTP passive mode implementation. Organizations should ensure they are using updated versions of Wget where this vulnerability has been patched and validated. Network segmentation and firewall rules should be implemented to restrict outbound FTP connections, particularly to localhost or internal network ranges. Additionally, administrators should consider deploying network monitoring solutions that can detect unusual FTP traffic patterns or connections to unexpected IP addresses. The ATT&CK framework categorizes this as a server-side request forgery technique where the attacker leverages legitimate client tools to bypass network security controls and access protected resources through the compromised client application.

Responsible

Certcc

Reservation

07/08/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!