CVE-2025-32961

Name of the Vulnerable Software and Affected Versions Cuba JPA versions prior to 1.1.1

Description The Cuba JPA web API allows loading and saving entities defined in the application data model through simple HTTP requests. Prior to version 1.1.1, the input parameter, which includes a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand.

Recommendations For versions prior to 1.1.1, update to version 1.1.1 to resolve the issue. As a temporary workaround, consider using the workaround provided on the Jmix documentation website until the update to version 1.1.1 can be applied.