An issue in the component /common/DownController.java of JFinalCMS v5.0.0 allows attackers to execute a directory traversal.