CVE-2025-69981
published 2026-02-03CVE-2025-69981: FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.73%
49.5th percentile
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frangoteam | fuxa | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API
ghsa·2026-02-05·CVSS 9.8
CVE-2026-25895 [CRITICAL] CWE-22 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API
### Summary
**Description**
A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
### Impact
This affects all deployments, including those with `runtime.settings.secureEnabled` set to `true`.
Exploitation allows an unauthenticated, remote attacker to overwrite application and system files. If the attacker can overwrite application code, startup scripts, or configuration files that are later executed/loaded, RCE is likely. Depending on deployment configuration and permissions, this may lead to full system compromise
OSV
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API
osv·2026-02-05·CVSS 9.8
CVE-2026-25895 [CRITICAL] FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API
### Summary
**Description**
A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
### Impact
This affects all deployments, including those with `runtime.settings.secureEnabled` set to `true`.
Exploitation allows an unauthenticated, remote attacker to overwrite application and system files. If the attacker can overwrite application code, startup scripts, or configuration files that are later executed/loaded, RCE is likely. Depending on deployment configuration and permissions, this may lead to full system compromise
GHSA
FUXA contains an Unrestricted File Upload vulnerability
ghsa·2026-02-03
CVE-2025-69981 [HIGH] CWE-306 FUXA contains an Unrestricted File Upload vulnerability
FUXA contains an Unrestricted File Upload vulnerability
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.
OSV
FUXA contains an Unrestricted File Upload vulnerability
osv·2026-02-03
CVE-2025-69981 [HIGH] FUXA contains an Unrestricted File Upload vulnerability
FUXA contains an Unrestricted File Upload vulnerability
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.
No detection rules found.
No public exploits indexed.
2026-02-03
Published