CVE-2025-13262

HighPublic PoC

Published: 17 November 2025

Published

17 November 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0021 42.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java. Executing manipulation of the argument sid can lead to path traversal. The attack can be executed remotely. The…

exploit has been publicly disclosed and may be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of inputs like the 'sid' argument in UploadFileRequestHandler to block path traversal sequences such as '../'.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the specific path traversal flaw in the lsfusion platform up to version 6.1.

AC-3 Access Enforcement partial match

prevent

Enforces approved access authorizations to restrict file system operations by the upload handler to authorized paths only, mitigating unauthorized access via traversal.

Security SummaryAI

CVE-2025-13262 is a path traversal vulnerability (CWE-22) in the lsfusion platform up to version 6.1. The flaw affects the UploadFileRequestHandler function in the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java, where manipulation of the 'sid' argument enables path traversal.

The vulnerability allows remote exploitation over the network with low attack complexity and no privileges required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, base score 7.3). Attackers can achieve low-level impacts on confidentiality, integrity, and availability.

Advisories reference GitHub issues at https://github.com/lsfusion/platform/issues/1544 and https://github.com/lsfusion/platform/issues/1544#issue-3589610731, along with VulDB entries at https://vuldb.com/?ctiid.332597, https://vuldb.com/?id.332597, and https://vuldb.com/?submit.689414. The exploit has been publicly disclosed and may be utilized.

Details

CWE(s): CWE-22

Affected Products

lsfusion

lsfusion platform

≤ 6.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal in remote file upload handler of public-facing web application enables unauthenticated remote exploitation for arbitrary file placement.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/lsfusion/platform/issues/1544
Exploit, Issue Tracking, Vendor Advisory · cna@vuldb.com
https://github.com/lsfusion/platform/issues/1544#issue-3589610731
Exploit, Issue Tracking, Vendor Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.332597
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.332597
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.689414
Third Party Advisory, VDB Entry · cna@vuldb.com