Search
Find a vulnerability
Search criteria
2 vulnerabilities found for wcurl by curl
CVE-2025-11563 (GCVE-0-2025-11563)
Vulnerability from nvd – Published: 2026-02-25 07:20 – Updated: 2026-02-25 18:53
VLAI
EPSS
VEX
Title
wcurl path traversal with percent-encoded slashes
Summary
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into
saving the output file outside of the current directory without the user
explicitly asking for it.
This flaw only affects the wcurl command line tool.
Severity
4.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-25T07:24:31.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/04/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T18:53:51.461545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T18:53:58.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://lists.debian.org/debian-release/2025/11/msg00504.html"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "curl",
"vendor": "curl",
"versions": [
{
"lessThanOrEqual": "8.17.0",
"status": "affected",
"version": "8.17.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.16.0",
"status": "affected",
"version": "8.16.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.15.0",
"status": "affected",
"version": "8.15.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.14.1",
"status": "affected",
"version": "8.14.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.14.0",
"status": "affected",
"version": "8.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stanislav Fort (Aisle Research)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Samuel Henrique"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sergio Durigan Junior"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Xi Ruoyao"
}
],
"descriptions": [
{
"lang": "en",
"value": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into\nsaving the output file outside of the current directory without the user\nexplicitly asking for it.\n\nThis flaw only affects the wcurl command line tool."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-35 Path Traversal",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T07:20:47.012Z",
"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
"shortName": "curl"
},
"references": [
{
"name": "json",
"url": "https://curl.se/docs/CVE-2025-11563.json"
},
{
"name": "www",
"url": "https://curl.se/docs/CVE-2025-11563.html"
}
],
"title": "wcurl path traversal with percent-encoded slashes"
}
},
"cveMetadata": {
"assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
"assignerShortName": "curl",
"cveId": "CVE-2025-11563",
"datePublished": "2026-02-25T07:20:47.012Z",
"dateReserved": "2025-10-09T13:50:54.563Z",
"dateUpdated": "2026-02-25T18:53:58.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11563 (GCVE-0-2025-11563)
Vulnerability from cvelistv5 – Published: 2026-02-25 07:20 – Updated: 2026-02-25 18:53
VLAI
EPSS
VEX
Title
wcurl path traversal with percent-encoded slashes
Summary
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into
saving the output file outside of the current directory without the user
explicitly asking for it.
This flaw only affects the wcurl command line tool.
Severity
4.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-25T07:24:31.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/04/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T18:53:51.461545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T18:53:58.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://lists.debian.org/debian-release/2025/11/msg00504.html"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "curl",
"vendor": "curl",
"versions": [
{
"lessThanOrEqual": "8.17.0",
"status": "affected",
"version": "8.17.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.16.0",
"status": "affected",
"version": "8.16.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.15.0",
"status": "affected",
"version": "8.15.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.14.1",
"status": "affected",
"version": "8.14.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.14.0",
"status": "affected",
"version": "8.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stanislav Fort (Aisle Research)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Samuel Henrique"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Sergio Durigan Junior"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Xi Ruoyao"
}
],
"descriptions": [
{
"lang": "en",
"value": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into\nsaving the output file outside of the current directory without the user\nexplicitly asking for it.\n\nThis flaw only affects the wcurl command line tool."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-35 Path Traversal",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T07:20:47.012Z",
"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
"shortName": "curl"
},
"references": [
{
"name": "json",
"url": "https://curl.se/docs/CVE-2025-11563.json"
},
{
"name": "www",
"url": "https://curl.se/docs/CVE-2025-11563.html"
}
],
"title": "wcurl path traversal with percent-encoded slashes"
}
},
"cveMetadata": {
"assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
"assignerShortName": "curl",
"cveId": "CVE-2025-11563",
"datePublished": "2026-02-25T07:20:47.012Z",
"dateReserved": "2025-10-09T13:50:54.563Z",
"dateUpdated": "2026-02-25T18:53:58.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}