UBUNTU-CVE-2026-15146

Source
https://ubuntu.com/security/CVE-2026-15146
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15146.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-15146
Upstream
  • CVE-2026-15146
Published
2026-07-13T00:00:00Z
Modified
2026-07-14T23:30:08.441386008Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources.

References

Affected packages

Ubuntu:22.04:LTS
wget

Package

Name
wget
Purl
pkg:deb/ubuntu/wget?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.21-1ubuntu3
1.21-1ubuntu4
1.21-1ubuntu5
1.21.2-2ubuntu1
1.21.2-2ubuntu1.1
1.21.2-2ubuntu1.3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "wget",
            "binary_version": "1.21.2-2ubuntu1.3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15146.json"
Ubuntu:24.04:LTS
wget

Package

Name
wget
Purl
pkg:deb/ubuntu/wget?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.21.3-1ubuntu1
1.21.4-1ubuntu1
1.21.4-1ubuntu2
1.21.4-1ubuntu3
1.21.4-1ubuntu4
1.21.4-1ubuntu4.1
1.21.4-1ubuntu4.3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "wget",
            "binary_version": "1.21.4-1ubuntu4.3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15146.json"
Ubuntu:26.04:LTS
wget

Package

Name
wget
Purl
pkg:deb/ubuntu/wget?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.25.0-2ubuntu3
1.25.0-2ubuntu4
1.25.0-2ubuntu4.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "wget",
            "binary_version": "1.25.0-2ubuntu4.2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15146.json"
Ubuntu:Pro:14.04:LTS
wget

Package

Name
wget
Purl
pkg:deb/ubuntu/wget?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.14-2ubuntu1
1.14-5ubuntu1
1.15-1ubuntu1
1.15-1ubuntu1.14.04.1
1.15-1ubuntu1.14.04.2
1.15-1ubuntu1.14.04.3
1.15-1ubuntu1.14.04.4
1.15-1ubuntu1.14.04.5
1.15-1ubuntu1.14.04.5+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "wget",
            "binary_version": "1.15-1ubuntu1.14.04.5+esm2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15146.json"
Ubuntu:Pro:16.04:LTS
wget

Package

Name
wget
Purl
pkg:deb/ubuntu/wget?arch=source&distro=esm-infra-legacy%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.16.1-1ubuntu1
1.17.1-1ubuntu1
1.17.1-1ubuntu1.1
1.17.1-1ubuntu1.2
1.17.1-1ubuntu1.3
1.17.1-1ubuntu1.4
1.17.1-1ubuntu1.5
1.17.1-1ubuntu1.5+esm1
1.17.1-1ubuntu1.5+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "wget",
            "binary_version": "1.17.1-1ubuntu1.5+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15146.json"
Ubuntu:Pro:18.04:LTS
wget

Package

Name
wget
Purl
pkg:deb/ubuntu/wget?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.19.1-3ubuntu1
1.19.1-3ubuntu1.1
1.19.2-1ubuntu1
1.19.3-2ubuntu1
1.19.4-1ubuntu2
1.19.4-1ubuntu2.1
1.19.4-1ubuntu2.2
1.19.4-1ubuntu2.2+esm1
1.19.4-1ubuntu2.2+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "wget",
            "binary_version": "1.19.4-1ubuntu2.2+esm3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15146.json"
Ubuntu:Pro:20.04:LTS
wget

Package

Name
wget
Purl
pkg:deb/ubuntu/wget?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.20.3-1ubuntu1
1.20.3-1ubuntu2
1.20.3-1ubuntu2.1
1.20.3-1ubuntu2.1+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "wget",
            "binary_version": "1.20.3-1ubuntu2.1+esm2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-15146.json"