CVE-2025-11563

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

Published Feb 26, 2026

https://curl.se/docs/CVE-2025-11563.html

CVSS ScoreMedium

4.6

Ecosystem	Package	Version

Ecosystem	Package	Version

Vulnerabilities

CVE-2025-11563

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

Published Feb 26, 2026

https://curl.se/docs/CVE-2025-11563.html

CVSS ScoreMedium

4.6


conan	libcurl	8.15.0
conan	libcurl	8.16.0
conan	libcurl	8.17.0
conda	main/curl	8.14.1
conda	main/curl	8.15.0
conda	main/curl	8.16.0
conda	main/curl	8.17.0
conda	main/libcurl	8.14.1
conda	main/libcurl	8.15.0
conda	main/libcurl	8.16.0
conda	main/libcurl	8.17.0

Ecosystem	Package	Version


conan	libcurl	8.15.0
conan	libcurl	8.16.0
conan	libcurl	8.17.0
conda	main/curl	8.14.1
conda	main/curl	8.15.0
conda	main/curl	8.16.0
conda	main/curl	8.17.0
conda	main/libcurl	8.14.1
conda	main/libcurl	8.15.0
conda	main/libcurl	8.16.0
conda	main/libcurl	8.17.0

Find vulnerabilities. Fix fast with AI.

CVE-2025-11563

CVE-2025-11563