Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.6
wcurl allows saving files outside the intended directory
CVE-2025-11563
Summary
A flaw in wcurl can cause files to be saved outside the current directory when a specific type of URL is used. This affects the command line tool wcurl and can potentially lead to unauthorized file access. Users should be cautious when using wcurl and verify the output file path to ensure it is correct.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| curl | wcurl | > 2024-12-08 , <= 2025-11-09 | – |
Original title
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into
saving the output file outside of the current directory without the user
explicitly asking for it.
This flaw only affects ...
Original description
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into
saving the output file outside of the current directory without the user
explicitly asking for it.
This flaw only affects the wcurl command line tool.
saving the output file outside of the current directory without the user
explicitly asking for it.
This flaw only affects the wcurl command line tool.
nvd CVSS3.1
4.6
Vulnerability type
CWE-22
Path Traversal
- https://curl.se/docs/CVE-2025-11563.html Patch Vendor Advisory
- https://curl.se/docs/CVE-2025-11563.json Vendor Advisory
- http://www.openwall.com/lists/oss-security/2025/11/04/1 Mailing List Third Party Advisory
- https://lists.debian.org/debian-release/2025/11/msg00504.html Mailing List Third Party Advisory Patch
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026