AdminDocumentation.jsp is used to display some documentation to admins and contributors. A normal URL is similar to /jsp/admin/documentation/AdminDocumentation.jsp?doc=admin-site However, the value of the "doc" paramter is used as is (without any sanity checks) to create the "strXmlPath" variable which is then used as the path to an XML file. Because of a later call to XmlUtil.transform(), only valid XML files can be read. The trailing ".xml" can be subverted by adding a NULL byte (%00) : /jsp/admin/documentation/AdminDocumentation.jsp?doc=/../../../../something/conf/xml_config.txt%00 Impact is large mainly when Lutece is deployed on some shared/hosted servers where Lutece contributors haven't sysadmins privileges.