The vulnerability CVE-2025-32302 in gavias Winnex (<= 1.3.2) is caused by improper control of the filename parameter in PHP include/require statements, leading to a Local File Inclusion (LFI) vulnerability. This flaw allows an attacker to include arbitrary files from the server, potentially exposing sensitive information or enabling further code execution. The CVSS 3.1 score of 8.1 reflects a high-severity issue exploitable remotely without authentication but requiring high attack complexity. No official patch or vendor advisory is currently available, and no known exploits have been reported.

Successful exploitation of this vulnerability can lead to disclosure of sensitive files, code execution, and full compromise of the affected system's confidentiality, integrity, and availability. The high CVSS score reflects the critical nature of these impacts. However, there are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider applying temporary mitigations such as restricting access to vulnerable endpoints, disabling vulnerable functionality if possible, or using web application firewalls to detect and block suspicious requests related to file inclusion. Monitor vendor channels for updates and apply official patches promptly once released.