CVE-2025-13261

Name of the Vulnerable Software and Affected Versions lsfusion platform versions prior to 6.1

Description A flaw exists in the lsfusion platform that allows for path traversal. This issue affects the DownloadFileRequestHandler function located in the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Manipulation of the Version argument can lead to exploitation. The exploit has been publicly disclosed.

Recommendations Update to a version beyond 6.1. As a temporary workaround, consider restricting access to the DownloadFileRequestHandler function until a patch is available.