LuckyFrameWeb v3.5.2 exists to contain an arbitrary read vulnerability via the fileDownload method in class com.luckyframe.project.common.CommonController.