CVE-2025-11563: URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly…

CVE-2025-14017 [MEDIUM] curl vulnerabilities curl vulnerabilities USN-8062-1 fixed vulnerabilities in curl. This update provides the corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224 for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that curl incorrectly handled cookies when redirected from secure to insecure connections. An attacker could possibly use this issue to cause a denial of service, or obtain sensitive information. This issue only affected Ubuntu 25.10. (CVE-2025-9086) Calvin Ruocco discovered that curl did not properly handle WebSocket communications under certain circumstances. A malicious server could possibly use this issue to poison proxy caches with malicious content. This issue only affected Ubuntu 24.04 LTS and U

CVE-2025-9086 [MEDIUM] curl vulnerabilities curl vulnerabilities It was discovered that curl incorrectly handled cookies when redirected from secure to insecure connections. An attacker could possibly use this issue to cause a denial of service, or obtain sensitive information. This issue only affected Ubuntu 25.10. (CVE-2025-9086) Calvin Ruocco discovered that curl did not properly handle WebSocket communications under certain circumstances. A malicious server could possibly use this issue to poison proxy caches with malicious content. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-10148) Stanislav Fort discovered that wcurl did not properly handle URLs with certain encoded characters. If a user were tricked into processing a specially crafted URL, an attacker could possibly use this issue to write files o

CVE-2025-11563 [MEDIUM] CWE-22 GHSA-6xq2-fm6w-mxfm: URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user exp URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

CVE-2025-11563 [MEDIUM] CVE-2025-11563: URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user exp URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.

CVE-2025-15224 [MEDIUM] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. USN-8062-1 fixed vulnerabilities in curl. This update provides the corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224 for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that curl incorrectly handled cookies when redirected from secure to insecure connections. An attacker could possibly use this issue to cause a denial of service, or obtain sensitive information. This issue only affected Ubuntu 25.10. (CVE-2025-9086) Calvin Ruocco discovered that curl did not properly handle WebSocket communications under certain circumstances. A malicious server could possibly use this issue to poison proxy caches with malic

CVE-2025-11563 [MEDIUM] CWE-22 wcurl: wcurl: Arbitrary file placement via crafted URLs wcurl: wcurl: Arbitrary file placement via crafted URLs URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. A flaw was found in wcurl. This vulnerability allows a remote attacker to manipulate the location where output files are saved. By crafting a malicious URL with percent-encoded slashes, the attacker can trick the wcurl command-line tool into writing files outside of the intended directory. This could lead to unauthorized file placement on the system. Statement: Note: this vulnerability only affects the wcurl command line tool. Mitigation: Some potential mitigations to limit the risk of this vulnerability inclu

CVE-2025-13034 [MEDIUM] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. It was discovered that curl incorrectly handled cookies when redirected from secure to insecure connections. An attacker could possibly use this issue to cause a denial of service, or obtain sensitive information. This issue only affected Ubuntu 25.10. (CVE-2025-9086) Calvin Ruocco discovered that curl did not properly handle WebSocket communications under certain circumstances. A malicious server could possibly use this issue to poison proxy caches with malicious content. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-10148) Stanislav Fort discovered that wcurl did not properly handle URLs with certain encoded characters. If a user were tricked into processing a specially crafted UR

CVE-2025-11563 [MEDIUM] wcurl path traversal with percent-encoded slashes wcurl path traversal with percent-encoded slashes Mariner: Mariner curl: curl Customer Action Required: Yes

CVE-2025-11563 [MEDIUM] CVE-2025-11563: curl - URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving... URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 8.17.0-2) sid: resolved (fixed in 8.17.0-2) trixie: resolved (fixed in 8.14.1-2+deb13u2)

CVE-2025-15224 [LOW] CVE-2025-15224 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-15224 : cURL vulnerability analysis and mitigation When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. Source : NVD ## 3.1 Score Published January 8, 2026 Severity LOW CNA Score 3.1 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 24.4 Exploitation Probability (EPSS) 0.1 Affected packages and libraries curl libcurl4 Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity LOW No Fix Added at: Jan 21, 2026 Alpine 3.22, 3.23 Severity LOW No Fix Added at: Jan 28, 2026

CVE-2025-15079 [MEDIUM] CVE-2025-15079 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-15079 : cURL vulnerability analysis and mitigation When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file. Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 10.3 Exploitation Probability (EPSS) N/A Affected packages and libraries curl-debuginfo libcurl-devel Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MED

CVE-2025-14819 [MEDIUM] CVE-2025-14819 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14819 : cURL vulnerability analysis and mitigation CURLSSLOPT_NO_PARTIALCHAIN Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 13.9 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl-minimal-debuginfo libcurl-devel-doc Sources Alpine 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDIUM Has Fix Added at: Jan 21, 2026 Alpine 3.22, 3.23 Severity MEDIUM Has Fix Added at: Jan 28, 2026 Alpine edge Severity MEDIUM Has Fix Added at: Jan 08, 2026 Container-Optimized OS Severity MEDIUM Has Fix Added at: Mar 03, 2026 Debian 1

CVE-2026-3805 [MEDIUM] CVE-2026-3805 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3805 : cURL vulnerability analysis and mitigation When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. Source : NVD ## 7.5 Score Published March 11, 2026 Severity HIGH CNA Score 7.5 Affected Technologies cURL Libcurl Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 11.7 Exploitation Probability (EPSS) N/A Affected packages and libraries rust-debugger-common rust-src Sources Alpine 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH Has Fix Added at: Mar 13, 2026 Debian 13 Severity MEDIUM No Fix Added at: Mar 12, 2026 Debian 14 Severity HIGH Has Fix Added at: Mar 12, 2026 Homebrew Severity HI

CVE-2025-14524 [MEDIUM] CVE-2025-14524 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14524 : cURL vulnerability analysis and mitigation When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 7.2 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl-devel-32bit curl-zsh-completion Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDI

CVE-2026-3784 [MEDIUM] CVE-2026-3784 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3784 : cURL vulnerability analysis and mitigation curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. Source : NVD ## 6.5 Score Published March 11, 2026 Severity MEDIUM CNA Score 6.5 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 3.1 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl rust-doc Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Added at: Mar 13, 20

CVE-2026-1965 [MEDIUM] CVE-2026-1965 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-1965 : cURL vulnerability analysis and mitigation libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates connections and not requests , contrary to how HTTP is designed to work. user1:password1 user2:password2 CURLOPT_HTTPAUTH CURLOPT_FRESH_CONNECT C

CVE-2025-13034 [MEDIUM] CVE-2025-13034 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-13034 : cURL vulnerability analysis and mitigation CURLOPT_PINNEDPUBLICKEY --pinnedpubkey This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. Source : NVD ## 5.9 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.9 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 1.2 Exploitation Probability (EPSS) N/A Affected packages and libraries curl curl

CVE-2025-11563 [MEDIUM] CVE-2025-11563 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-11563 : cURL vulnerability analysis and mitigation ## Overview CVE-2025-11563 is a path traversal vulnerability affecting wcurl, discovered on October 6, 2025, and publicly disclosed on November 4, 2025. The vulnerability affects wcurl versions shipped with curl 8.14.0 to 8.16.0 and standalone wcurl versions from 2024.12.08 to 2025.09.27. This security flaw allows URLs containing percent-encoded slashes (/ or ) to trick wcurl into saving output files outside of the current directory without explicit user permission ( Curl Advisory ). ## Technical details The vulnerability is classified as CWE-35: Path Traversal with a Moderate severity rating. The issue stems from wcurl's handling of percent-encoded slashes in URLs, where the tool incorrectly processes URLs containing p

CVE-2025-14017 [MEDIUM] CVE-2025-14017 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14017 : cURL vulnerability analysis and mitigation When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well. Source : NVD ## 6.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 6.3 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 0.6 Exploitation Probability (EPSS) N/A Affected packages and libraries snphost cpe:2.3:a:haxx:curl Sources Alp

CVE-2026-3783 [MEDIUM] CVE-2026-3783 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3783 : cURL vulnerability analysis and mitigation When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. machine default Source : NVD ## 5.3 Score Published March 11, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 3.5 Exploitation Probability (EPSS) N/A Affected packages and libraries s390utils-mon_statd trustee-guest-components Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Ad

CVE-2025-11563 [MEDIUM] CVE-2025-11563 wcurl: wcurl: Arbitrary file placement via crafted URLs CVE-2025-11563 wcurl: wcurl: Arbitrary file placement via crafted URLs URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.