Cyber Resilience

CVE-2025-13262

MediumPublic PoC

Published: 17 November 2025

Published
17 November 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0021 43.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13262 is a medium-severity Path Traversal (CWE-22) vulnerability in Lsfusion Lsfusion Platform. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-13262 is a path traversal vulnerability (CWE-22) in the lsfusion platform up to version 6.1. The flaw affects the UploadFileRequestHandler function in the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java, where manipulation of the 'sid' argument enables path traversal.

The vulnerability allows remote exploitation over the network with low attack complexity and no privileges required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, base score 7.3). Attackers can achieve low-level impacts on confidentiality, integrity, and availability.

Advisories reference GitHub issues at https://github.com/lsfusion/platform/issues/1544 and https://github.com/lsfusion/platform/issues/1544#issue-3589610731, along with VulDB entries at https://vuldb.com/?ctiid.332597, https://vuldb.com/?id.332597, and https://vuldb.com/?submit.689414. The exploit has been publicly disclosed and may be utilized.

EU & UK References

Vulnerability details

A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java. Executing manipulation of the argument sid can lead to path traversal. The attack can be executed remotely. The…

more

exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in remote file upload handler of public-facing web application enables unauthenticated remote exploitation for arbitrary file placement.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-25785Shared CWE-22
CVE-2025-11366Shared CWE-22
CVE-2026-1810Shared CWE-22

Affected Assets

lsfusion
lsfusion platform
≤ 6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs like the 'sid' argument in UploadFileRequestHandler to block path traversal sequences such as '../'.

prevent

Mandates timely identification, reporting, and correction of the specific path traversal flaw in the lsfusion platform up to version 6.1.

prevent

Enforces approved access authorizations to restrict file system operations by the upload handler to authorized paths only, mitigating unauthorized access via traversal.

References