Jfinal CMS is a powerful information consulting website developed in java that uses JFinal as the web framework, beetl for the template engine, mysql for the database, and bootstrap framework for the front-end. improper access control vulnerabilities exist in Jfinal CMS 4.7.1 and earlier versions. An attacker could use the FileManager.delete() function in modules/filemanager/FileManagerController.java to obtain sensitive information or cause a denial of service.