CVE-2023-31718
published 2023-09-22CVE-2023-31718: FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.49%
71.0th percentile
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frangoteam | fuxa | <= 1.1.12 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FUXA Affected by a Path Traversal Sanitization Bypass
ghsa·2026-02-10·CVSS 7.5
CVE-2026-25951 [HIGH] CWE-184 FUXA Affected by a Path Traversal Sanitization Bypass
FUXA Affected by a Path Traversal Sanitization Bypass
### Summary
A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .
### Details
This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:
Patch Bypass (Regression): The vulnerability circumvents the existing sanitization
OSV
FUXA Affected by a Path Traversal Sanitization Bypass
osv·2026-02-10·CVSS 7.5
CVE-2026-25951 [HIGH] FUXA Affected by a Path Traversal Sanitization Bypass
FUXA Affected by a Path Traversal Sanitization Bypass
### Summary
A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .
### Details
This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:
Patch Bypass (Regression): The vulnerability circumvents the existing sanitization
OSV
FUXA local file inclusion vulnerability
osv·2023-09-22
CVE-2023-31718 [HIGH] FUXA local file inclusion vulnerability
FUXA local file inclusion vulnerability
FUXA <= 1.1.12 is vulnerable to Local File Inclusion via `/api/download`.
GHSA
FUXA local file inclusion vulnerability
ghsa·2023-09-22
CVE-2023-31718 [HIGH] CWE-98 FUXA local file inclusion vulnerability
FUXA local file inclusion vulnerability
FUXA <= 1.1.12 is vulnerable to Local File Inclusion via `/api/download`.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-09-22
Published