CVE-2025-11563
MEDIUM4.6EPSS 0.02%Published: 2/25/2026Modified: 4/28/2026
Description
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.
Affected packages (1)
- Debian/curlfrom 0, < 8.14.1-2+deb13u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |