CVE-2025-11563

Sažetak

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

Reference

https://curl.se/docs/CVE-2025-11563.html
https://curl.se/docs/CVE-2025-11563.json
http://www.openwall.com/lists/oss-security/2025/11/04/1
https://lists.debian.org/debian-release/2025/11/msg00504.html

CVSS

Base:	4.6
Impact:	2.5
Exploitability:	2.1

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Zadnje važnije ažuriranje

26-02-2026 - 20:06

Objavljeno

25-02-2026 - 08:16