URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.CreditsStanislav Fort (Aisle Research)Samuel HenriqueSergio Durigan JuniorXi RuoyaoReferenceshttps://curl.se/docs/CVE-2025-11563.jsonhttps://curl.se/docs/CVE-2025-11563.html