CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-15146

mediumCVSS 5.9covered by 1 sourcefirst seen 2026-07-10
GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.

⚡ Watch CVE-2026-15146

Get an email if CVE-2026-15146 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-15146

CVE.org record

Embed the live status

CVE-2026-15146 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-15146 status](https://www.csirts.com/badge/CVE-2026-15146)](https://www.csirts.com/cve/CVE-2026-15146)