CVE-2026-25894
published 2026-02-09CVE-2026-25894: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.76%
50.6th percentile
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frangoteam | fuxa | < 1.2.10 | 1.2.10 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.5CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
ghsa·2026-02-05·CVSS 9.8
CVE-2026-25894 [CRITICAL] CWE-1188 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
### Description
An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
### Impact
The FUXA documentation allows administrators to manually update a hardcoded JWT secret when enabling authentication. This feature was not available in the UI. This results in a fail-open security posture, where the application can report or appear to be operating in `secureEnabled` mode while still accepting tokens signed with a publicly known
OSV
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
osv·2026-02-05·CVSS 9.8
CVE-2026-25894 [CRITICAL] FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
### Description
An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
### Impact
The FUXA documentation allows administrators to manually update a hardcoded JWT secret when enabling authentication. This feature was not available in the UI. This results in a fail-open security posture, where the application can report or appear to be operating in `secureEnabled` mode while still accepting tokens signed with a publicly known
No detection rules found.
No public exploits indexed.
2026-02-09
Published