curl is vulnerable to cross-site scripting. The vulnerability exists due to the curl URL parser wrongly accepts percent-encoded URL separators like /
when decoding the host name part of a URL which allows an attacker to inject and execute arbitrary javascript.