Thatjiaozi

**Name of the Vulnerable Software and Affected Versions** Kakadu version 7.9 **Description** The issue allows an attacker to exfiltrate local and remote files reachable by a server if the server allows the attacker to upload a specially-crafted image that is displayed back to the attacker. This is related to a JPX Fragment List (flst) box vulnerability. **Recommendations** For Kakadu version 7.9, consider restricting image upload capabilities to trusted users or disabling the display of user-uploaded images until a patch is available. As a temporary workaround, restrict access to sensitive files and directories on the server to minimize the risk of exploitation.