JFinalCMS 5.0.0 could allow a remote malicious user to read files via ../ Directory Traversal in the /common/down/file fileKey parameter.
jfinalcms project jfinalcms 5.0.0