CVE-2026-15146
Awaiting Analysis Awaiting Analysis - Queue

FTP PASV Mode IP Spoofing SSRF in GNU Wget

Vulnerability report for CVE-2026-15146, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: CERT/CC

Description

GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gnu wget to 1.25.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to perform server-side request forgery (SSRF) from the machine running Wget, potentially accessing internal network resources or localhost services. This unauthorized access to internal systems could lead to exposure or exfiltration of sensitive data.

Such unauthorized access and potential data exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, if exploited, this vulnerability could lead to violations of these standards by enabling attackers to bypass network protections and access protected data or systems.

Executive Summary

The vulnerability in GNU Wget involves its FTP passive mode implementation where it does not validate the IP address provided by the FTP server's PASV response.

A malicious FTP server or an HTTP server redirecting to an FTP URL can exploit this by sending a spoofed PASV response with an arbitrary IP address and port.

This causes Wget to redirect its data connection to an attacker-controlled or arbitrary host, enabling server-side request forgery (SSRF).

As a result, the attacker can make Wget access internal network services or localhost resources that would otherwise be inaccessible.

Impact Analysis

This vulnerability can allow an attacker to exploit Wget running on your machine to perform server-side request forgery (SSRF).

An attacker can redirect Wget's data connection to arbitrary IP addresses and ports, potentially accessing internal network services or localhost resources that are normally protected.

This could lead to unauthorized access to sensitive internal systems, data exposure, or further exploitation within your network.

Detection Guidance

This vulnerability can be detected by testing whether GNU Wget accepts and connects to spoofed IP addresses provided in FTP PASV responses. One approach is to use a fake or controlled FTP server that returns a spoofed PASV response with an IP address different from the control connection's peer address.

If Wget connects to the spoofed IP address without error, it is vulnerable. If it rejects the spoofed response with an error message, it is patched.

A practical detection method involves running a test FTP server that sends a PASV response with a forged IP address and observing Wget's behavior.

Specific commands are not provided in the resources, but the concept involves:

  • Setting up or using a test FTP server that returns a spoofed PASV response.
  • Running Wget to connect to this FTP server.
  • Observing whether Wget connects to the spoofed IP or rejects the connection.
Mitigation Strategies

The primary mitigation step is to update GNU Wget to the latest version that includes the fix for this vulnerability.

The fix ensures that Wget validates the IP address in the FTP PASV response against the control connection's peer address and rejects mismatched responses, preventing SSRF attacks.

Until the update can be applied, avoid using Wget to retrieve files from untrusted FTP servers or HTTP servers that redirect to FTP URLs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart