PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-45870 LogicalDOC CVE debrief

LogicalDOC Enterprise up to and including v9.1.1 is vulnerable to Local File Inclusion (LFI) via the OnlyOfficeEditor servlet class. This vulnerability allows an authenticated user to exploit path traversal flaws in the fileExt parameter, enabling unauthorized access to sensitive files outside designated directories. The vulnerability has a significant impact on confidentiality and could lead to data breaches if exploited.

Vendor
LogicalDOC
Product
LogicalDOC Enterprise
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of LogicalDOC Enterprise up to and including v9.1.1 should assess the vulnerability and apply patches or mitigations as necessary. Security teams and administrators responsible for LogicalDOC Enterprise deployments should prioritize this vulnerability due to its potential impact on data confidentiality.

Technical summary

LogicalDOC Enterprise up to and including v9.1.1 is vulnerable to Local File Inclusion (LFI) via the OnlyOfficeEditor servlet class. This vulnerability allows an authenticated user to exploit path traversal flaws in the fileExt parameter, enabling unauthorized access to sensitive files outside designated directories. The vulnerability has a significant impact on confidentiality and could lead to data breaches if exploited. Affected product deployments should be identified and prioritized for patching or mitigation. Security teams and administrators should review official advisories and assess potential impact based on available details. Input validation and sanitization for the fileExt parameter should be implemented, and monitoring for suspicious activity related to file access and traversal is recommended.

Defensive priority

High

Recommended defensive actions

  • Apply patches or updates provided by the vendor to address the Local File Inclusion vulnerability
  • Implement input validation and sanitization for the fileExt parameter
  • Monitor for suspicious activity related to file access and traversal
  • Consider implementing additional security controls, such as access controls and file system restrictions
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-16T17:16:53.157Z and was last modified on 2026-07-16T17:46:29.680Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify the vulnerability with official sources and assess potential impact based on available details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:53.157Z and has not been modified since then. The NVD entry is currently Deferred.