CVE-2025-3214

Name of the Vulnerable Software and Affected Versions JFinal CMS versions up to 5.2.4

Description A vulnerability has been found in the function engine.getTemplate of the file /readTemplate, where the manipulation of the template argument leads to path traversal. The attack can be launched remotely. The real existence of this vulnerability is still doubted, with the vendor explaining it as a feature rather than a bug.

Recommendations For versions up to 5.2.4, as a temporary workaround, consider restricting access to the engine.getTemplate function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.