CVE-2025-11563

MEDIUM 4.6

wcurl path traversal with percent-encoded slashes

CVSS Score

4.6

EPSS Score

0.0%

EPSS Percentile

0th

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

Vendor	curl
Product	curl
Published	Feb 25, 2026
Last Updated	Feb 25, 2026

Stay Ahead of the Next One

Get instant alerts for curl curl

Be the first to know when new medium vulnerabilities affecting curl curl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

curl / curl

8.17.0 ≤ 8.17.0 8.16.0 ≤ 8.16.0 8.15.0 ≤ 8.15.0 8.14.1 ≤ 8.14.1 8.14.0 ≤ 8.14.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

curl.se: https://curl.se/docs/CVE-2025-11563.json curl.se: https://curl.se/docs/CVE-2025-11563.html openwall.com: http://www.openwall.com/lists/oss-security/2025/11/04/1 lists.debian.org: https://lists.debian.org/debian-release/2025/11/msg00504.html

Credits

Stanislav Fort (Aisle Research) Samuel Henrique Sergio Durigan Junior Xi Ruoyao