CVE-2025-32951

Name of the Vulnerable Software and Affected Versions Jmix versions 1.0.0 through 1.6.1 Jmix versions 2.0.0 through 2.3.4

Description The issue affects Jmix, a set of libraries and tools for Spring Boot data-centric application development. It allows manipulation of the input parameter, which consists of a file path and name, to return the Content-Type header with text/html if the name part ends with .html. This could enable malicious JavaScript code to be executed in the browser. A successful attack requires a malicious file to be uploaded beforehand.

Recommendations For versions 1.0.0 through 1.6.1, update to version 1.6.2. For versions 2.0.0 through 2.3.4, update to version 2.4.0. As a temporary workaround, consider using the workaround provided on the Jmix documentation website.