CVE-2025-32951 io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends...

CVE-2025-32951

CVE-2025-32951 affects io.jmix.rest:jmix-rest via the /files endpoint, enabling XSS when an attacker manipulates a file-path/name input so the Content-Type becomes text/html for names ending with .html. Impact is cross-site scripting in browsers when a malicious file is uploaded beforehand. Affec...