CVE-2025-13261
published 2025-11-17CVE-2025-13261: A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file…
PriorityP336medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.61%
44.9th percentile
A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Performing manipulation of the argument Version results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lsfusion | lsfusion_platform | <= 6.1 | — |
| lsfusion | platform | — | — |
| lsfusion | platform | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
lsFusion Platform has a Path Traversal vulnerability
osv·2025-11-17
CVE-2025-13261 [MEDIUM] lsFusion Platform has a Path Traversal vulnerability
lsFusion Platform has a Path Traversal vulnerability
A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Performing manipulation of the argument Version results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
GHSA
lsFusion Platform has a Path Traversal vulnerability
ghsa·2025-11-17
CVE-2025-13261 [MEDIUM] CWE-22 lsFusion Platform has a Path Traversal vulnerability
lsFusion Platform has a Path Traversal vulnerability
A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Performing manipulation of the argument Version results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-17
Published