CVE-2025-32960

Name of the Vulnerable Software and Affected Versions CUBA REST API add-on versions prior to 7.2.7

Description The issue allows malicious JavaScript code to be executed in the browser by manipulating the input parameter, which consists of a file path and name, to return the Content-Type header with text/html if the name part ends with .html. This requires a malicious file to be uploaded beforehand.

Recommendations For versions prior to 7.2.7, update to version 7.2.7 to resolve the issue. As a temporary workaround, consider using the workaround provided on the Jmix documentation website until the update to version 7.2.7 can be applied.