CVE-2025-11563

MEDIUM
2026-02-25 2499f714-1537-4658-8207-48ae4bb9eae9
4.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch Released
Feb 26, 2026 - 20:06 nvd
Patch available
CVE Published
Feb 25, 2026 - 08:16 nvd
MEDIUM 4.6

Tags

Path Traversal Wcurl Redhat Suse

Description

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

Analysis

URLs containing percent-encoded slashes (/ or \) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. [CVSS 4.6 MEDIUM]

Technical Context

Classified as CWE-22 (Path Traversal). Affects Wcurl. URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into

saving the output file outside of the current directory without the user

explicitly asking for it.

This flaw only affects the wcurl command line tool.

Affected Products

Vendor: Curl. Product: Wcurl.

Remediation

A vendor patch is available — apply it immediately. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.

Priority Score

23
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +23
POC: 0

Vendor Status

Share

CVE-2025-11563 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy