wcurl path traversal with percent-encoded slashes — CVE-2025-11563

Summary

Advisory CVE-2025-11563. wcurl path traversal with percent-encoded slashes Vendor: Microsoft. Source: MSRC. Threat: medium. CVSS 4.6. See the official advisory for details.

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

• libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c. CVE-2025-61145
• libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c. CVE-2025-61143
• bonding: annotate data-races around slave->last_rx CVE-2026-23212
• crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly CVE-2026-23222
• erofs: fix UAF issue for file-backed mounts w/ directio option CVE-2026-23224
• hfs: ensure sb->s_fs_info is always cleaned up CVE-2025-71230
• ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths CVE-2026-23220
• Libsoup: out-of-bounds read in libsoup handle_partial_get() leading to heap information disclosure CVE-2026-2443
• mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free CVE-2026-1979
• nilfs2: Fix potential block overflow that cause system hang CVE-2025-71237
• Qemu-kvm: heap buffer out-of-bounds read in vmdk compressed grain parsing CVE-2026-2243
• riscv: trace: fix snapshot deadlock with sbi ecall CVE-2026-23217