diff --git a/CHANGELOG b/CHANGELOG
index bc653668d..d13edfd83 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#3317] Function url.build_path was mangling special characters in URL
+  path segments. [nnposter]
+
 Nmap 7.99 [2026-03-26]
 
 o Integrated many of the most-frequently-submitted IPv4 and IPv6 OS
diff --git a/nselib/url.lua b/nselib/url.lua
index 3c013d04e..0b3530c62 100644
--- a/nselib/url.lua
+++ b/nselib/url.lua
@@ -49,33 +49,17 @@ _VERSION = "URL 1.0"
 
 --[[ Internal functions --]]
 
-local function make_set(t)
-  local s = {}
-  for i,v in base.ipairs(t) do
-    s[t[i]] = 1
-  end
-  return s
-end
-
 local function hex_esc (c)
   return string.format("%%%02X", string.byte(c))
 end
 
--- these are allowed within a path segment, along with alphanum
--- other characters must be escaped
-local segment_set = make_set {
-  "-", "_", ".", "!", "~", "*", "'", "(",
-  ")", ":", "@", "&", "=", "+", "$", ",",
-}
-setmetatable(segment_set, { __index = function(t, c) return hex_esc(c) end })
-
 ---
 -- Protects a path segment, to prevent it from interfering with the
 -- URL parsing.
 -- @param s Binary string to be encoded.
 -- @return Escaped representation of string.
 local function protect_segment(s)
-  return string.gsub(s, "([^A-Za-z0-9_.~-])", segment_set)
+  return string.gsub(s, "[^-A-Za-z0-9_.!~*'():@&=+$,]", hex_esc)
 end
 
 ---
@@ -496,6 +480,15 @@ local test_urls = {
     },
     _nil = {"scheme", "userinfo", "port", "params", "extension"}
   },
+  { _url = "//example/exam+ple%2F/folder:443/k1=v1&k2=v2",
+    _res = {
+      authority = "example",
+      host = "example",
+      path = "/exam+ple%2F/folder:443/k1=v1&k2=v2",
+      is_folder = false,
+    },
+    _nil = {"scheme", "userinfo", "port", "params", "extension", "query", "fragment"}
+  },
   { _url = "//example?k1=v1&k2=v2",
     _res = {
       authority = "example",