CVE-2026-25951
published 2026-02-09CVE-2026-25951: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an…
PriorityP353high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.22%
64.8th percentile
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. This vulnerability is fixed in 1.2.11.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frangoteam | fuxa | < 1.2.11 | 1.2.11 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa7.5HIGH
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FUXA Affected by a Path Traversal Sanitization Bypass
ghsa·2026-02-10·CVSS 7.5
CVE-2026-25951 [HIGH] CWE-184 FUXA Affected by a Path Traversal Sanitization Bypass
FUXA Affected by a Path Traversal Sanitization Bypass
### Summary
A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .
### Details
This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:
Patch Bypass (Regression): The vulnerability circumvents the existing sanitization
OSV
FUXA Affected by a Path Traversal Sanitization Bypass
osv·2026-02-10·CVSS 7.5
CVE-2026-25951 [HIGH] FUXA Affected by a Path Traversal Sanitization Bypass
FUXA Affected by a Path Traversal Sanitization Bypass
### Summary
A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .
### Details
This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:
Patch Bypass (Regression): The vulnerability circumvents the existing sanitization
No detection rules found.
No public exploits indexed.
2026-02-09
Published