Xiaoxiaoranxxx

**Name of the Vulnerable Software and Affected Versions** Datart version 1.0.0-rc.3 **Description** The software is susceptible to a Directory Traversal issue through an unrestricted file upload. The server utilizes `MultipartFile.transferTo()` to save uploaded files to a user-controllable path without sufficient filename validation. This allows for potential manipulation of the file save location. The vulnerable API endpoint is `/viz/image` using the POST method. The `MultipartFile` object is used in the process. **Recommendations** Apply strict validation to the filename before saving the uploaded file to prevent directory traversal.