So1

**Name of the Vulnerable Software and Affected Versions** JFinalCMS version 5.0.0 **Description** The issue allows a remote attacker to read files via ../ Directory Traversal in the "/common/down/file" `fileKey` parameter. This could potentially lead to unauthorized access to sensitive information. **Recommendations** For JFinalCMS version 5.0.0, as a temporary workaround, consider restricting access to the "/common/down/file" endpoint until a patch is available. Avoid using the `fileKey` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.