CVE-2016-7098

HIGH

wget < 1.17 - Race Condition in Recursive/Mirroring Mode

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-7098. PoCs published by Dawid Golunski.

AI-analyzed exploit summary This exploit demonstrates a race condition in GNU Wget < 1.18 where the access list (-A) check is bypassed by delaying the HTTP response, allowing an attacker to upload a malicious file before it is deleted. The PoC sets up a web server to serve a PHP webshell and triggers its execution before Wget removes it.

Description

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Dawid Golunski · pythonremotemultiple

https://www.exploit-db.com/exploits/40824

View Code ZIP pw:eip

This exploit demonstrates a race condition in GNU Wget < 1.18 where the access list (-A) check is bypassed by delaying the HTTP response, allowing an attacker to upload a malicious file before it is deleted. The PoC sets up a web server to serve a PHP webshell and triggers its execution before Wget removes it.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Racy

Target: GNU Wget < 1.18

No auth needed

Prerequisites: Attacker-controlled server to host the exploit · Victim system running vulnerable Wget version · Victim application using Wget with recursive mode and access list

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →