Unknown · Cuba Rest Api Add-On · CVE-2025-32960
**Name of the Vulnerable Software and Affected Versions**
CUBA REST API add-on versions prior to 7.2.7
**Description**
The issue allows malicious JavaScript code to be executed in the browser by manipulating the input parameter, which consists of a file path and name, to return the Content-Type header with text/html if the name part ends with .html. This requires a malicious file to be uploaded beforehand.
**Recommendations**
For versions prior to 7.2.7, update to version 7.2.7 to resolve the issue.
As a temporary workaround, consider using the workaround provided on the Jmix documentation website until the update to version 7.2.7 can be applied.