CVE-2025-13262 — lsFusion Platform has a Path Traversal vulnerability

Description

A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java. Executing manipulation of the argument sid can lead to path traversal. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

How to fix CVE-2025-13262

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-13262 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 6.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-13262
PATCHgithub.com/lsfusion/platform
WEBgithub.com/lsfusion/platform/issues/1544
WEBgithub.com/lsfusion/platform/issues/1544#issue-3589610731
WEBvuldb.com