CVE-2026-25938
published 2026-02-09CVE-2026-25938: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.98%
57.7th percentile
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frangoteam | fuxa | — | — |
| frangoteam | fuxa | >= 1.2.8 < 1.2.11 | 1.2.11 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.5CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
FUXA Unauthenticated Remote Code Execution in Node-RED Integration
osv·2026-02-10
CVE-2026-25938 [CRITICAL] FUXA Unauthenticated Remote Code Execution in Node-RED Integration
FUXA Unauthenticated Remote Code Execution in Node-RED Integration
### Summary
**Description**
An authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11.
### Impact
This affects all deployments with the Node-RED plugin enabled, including those with `runtime.settings.secureEnabled` set to true.
Exploitation allows an unauthenticated, remote attacker to send a specially crafted request to the `/nodered/flows` endpoint to bypass authentication checks, granting the attacker administrative access to the Node-RED deployment API. By submitting a malicious flow configuration, an attacker
GHSA
FUXA Unauthenticated Remote Code Execution in Node-RED Integration
ghsa·2026-02-10
CVE-2026-25938 [CRITICAL] CWE-290 FUXA Unauthenticated Remote Code Execution in Node-RED Integration
FUXA Unauthenticated Remote Code Execution in Node-RED Integration
### Summary
**Description**
An authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11.
### Impact
This affects all deployments with the Node-RED plugin enabled, including those with `runtime.settings.secureEnabled` set to true.
Exploitation allows an unauthenticated, remote attacker to send a specially crafted request to the `/nodered/flows` endpoint to bypass authentication checks, granting the attacker administrative access to the Node-RED deployment API. By submitting a malicious flow configuration, an attacker
No detection rules found.
No public exploits indexed.
2026-02-09
Published