Vulnerability in Gnu Wget

CVE-2026-15146

GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data conne…

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

References

Frequently asked questions

What is CVE-2026-15146?
CVE-2026-15146 is a medium-severity vulnerability in Gnu Wget, classified under CWE-918 SERVER-SIDE REQUEST FORGERY (SSRF). CVSS score: 5.9/10. Published 2026-07-10.
How severe is CVE-2026-15146?
Medium severity. CVSS v3 base score is 5.9 out of 10.