CVE-2025-13261

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions lsfusion platform versions prior to 6.1

Description A flaw exists in the lsfusion platform that allows for path traversal. This issue affects the

DownloadFileRequestHandler

function located in the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Manipulation of the

Version

argument can lead to exploitation. The exploit has been publicly disclosed.

Recommendations Update to a version beyond 6.1. As a temporary workaround, consider restricting access to the

DownloadFileRequestHandler

function until a patch is available.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

CVE-2025-13261

GHSA-5JPG-2RJ5-964C

Lsfusion Platform