CVE-2025-11563

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

25/02/2026

Last modified:

25/02/2026

Description

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into<br /> saving the output file outside of the current directory without the user<br /> explicitly asking for it.<br /> <br /> This flaw only affects the wcurl command line tool.

Impact

References to Advisories, Solutions, and Tools

https://curl.se/docs/CVE-2025-11563.html
https://curl.se/docs/CVE-2025-11563.json
http://www.openwall.com/lists/oss-security/2025/11/04/1