Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.
{
"cwe_ids": [
"CWE-79"
],
"cna_assigner": "GitHub_M",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32951.json"
}[
{
"id": "CVE-2025-32951-03606b61",
"target": {
"function": "saveStream",
"file": "modules/core/src/com/haulmont/cuba/core/app/filestorage/FileStorage.java"
},
"signature_version": "v1",
"source": "https://github.com/cuba-platform/cuba/commit/42b6c00fd0572b8e52ae31afd1babc827a3161a1",
"signature_type": "Function",
"digest": {
"function_hash": "154094281552645561377766846870311210537",
"length": 1480.0
},
"deprecated": false
},
{
"id": "CVE-2025-32951-29ffb964",
"target": {
"function": "collapseItemInTree",
"file": "modules/web/src/com/haulmont/cuba/web/app/folders/CubaFoldersPane.java"
},
"signature_version": "v1",
"source": "https://github.com/cuba-platform/cuba/commit/abd9e244c75e57c4dedda9dee94625e04c7e9605",
"signature_type": "Function",
"digest": {
"function_hash": "230535455277896422540158206117462863579",
"length": 722.0
},
"deprecated": false
},
{
"id": "CVE-2025-32951-45938e32",
"target": {
"file": "modules/web/src/com/haulmont/cuba/web/app/folders/CubaFoldersPane.java"
},
"signature_version": "v1",
"source": "https://github.com/cuba-platform/cuba/commit/abd9e244c75e57c4dedda9dee94625e04c7e9605",
"signature_type": "Line",
"digest": {
"line_hashes": [
"3348785445997819084761661782674318438",
"196703582338271254139492723554570091891",
"220367452012091088272919726072403128360",
"128557132315888582509965673859041750684",
"124818379764213729413155514360571321701",
"64022490943678785288107327486887085271",
"150008414564908546796972801394776822050",
"49905986746914357336787574030963635708",
"241558133520366660567415788332851198782",
"71682055869131884205275963181184512129",
"22004011759052136753874933289570394301"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-32951-9bf1e190",
"target": {
"file": "modules/core/src/com/haulmont/cuba/core/app/ServerConfig.java"
},
"signature_version": "v1",
"source": "https://github.com/cuba-platform/cuba/commit/42b6c00fd0572b8e52ae31afd1babc827a3161a1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"85516700792758930825590373984692801643",
"110038988501292467352891284695743981511",
"240740207134093667813046071575955070107",
"190201739922301247280384152234658188356",
"153953561482474271954095220872426115230",
"318283804821084998643334262971990067035",
"93889483484373201680576286636251137988",
"160878521615346697613443191163184051177",
"79937744922200117699829157182311109448",
"55085444238556529549131815020773098873",
"260700480681005811560909012912728624057",
"265000308277612675308238222873266213696",
"76127233378353261750961425865708810780"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-32951-a91835e8",
"target": {
"file": "modules/core/src/com/haulmont/cuba/core/app/filestorage/FileStorage.java"
},
"signature_version": "v1",
"source": "https://github.com/cuba-platform/cuba/commit/42b6c00fd0572b8e52ae31afd1babc827a3161a1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"105377438641820252801035230913176238884",
"109320632837622641046056041512613162667",
"20925278502916451922664718368765028707",
"201169683846923176807712341669348993805",
"113851231452732460528306130170237831865",
"142781833362797574576531627533472138945",
"282438525334130075113529403023544374302",
"176189880099362834086192505201080294328"
],
"threshold": 0.9
},
"deprecated": false
}
]
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32951.json"
"2026-04-12T16:10:18Z"