cbcvebase.

Frangoteam Fuxa vulnerabilities

20 known vulnerabilities affecting frangoteam/fuxa.

Total CVEs
20
CISA KEV
0
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL13HIGH7

Vulnerabilities

Page 1 of 1
CVE-2026-25939P1CRITICALCVSS 9.1ExploitedPoC≥ 1.2.8, < 1.2.11fixed in 1.2.112026-02-09
CVE-2026-25939 [CRITICAL] CWE-862 CVE-2026-25939: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.
nvd
CVE-2025-69985P1CRITICALCVSS 9.8ExploitedPoC≤ 1.2.82026-02-24
CVE-2025-69985 [CRITICAL] CWE-288 CVE-2025-69985: FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Executio FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer he
ghsanvdosv
CVE-2023-33831P1CRITICALCVSS 9.8ExploitedPoCv1.1.132023-09-18
CVE-2023-33831 [CRITICAL] CWE-77 CVE-2023-33831: A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
ghsanvdosv
CVE-2026-25895P2CRITICALCVSS 9.8PoCfixed in 1.2.102026-02-09
CVE-2026-25895 [CRITICAL] CWE-22 CVE-2026-25895: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerabi FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
nvd
CVE-2025-69971P2CRITICALCVSS 9.8PoCv1.2.72026-02-03
CVE-2025-69971 [CRITICAL] CWE-798 CVE-2025-69971: FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The applicat FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.
nvd
CVE-2026-25894P2CRITICALCVSS 9.8fixed in 1.2.102026-02-09
CVE-2026-25894 [CRITICAL] CWE-321 CVE-2026-25894: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default config FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not config
nvd
CVE-2025-69981P2CRITICALCVSS 9.8v1.2.72026-02-03
CVE-2025-69981 [CRITICAL] CWE-434 CVE-2025-69981: FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. Th FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload
nvd
CVE-2026-25893P2CRITICALCVSS 9.8fixed in 1.2.102026-02-09
CVE-2026-25893 [CRITICAL] CWE-285 CVE-2026-25893: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authen FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10.
nvd
CVE-2023-31719P2CRITICALCVSS 9.8≤ 1.1.122023-09-22
CVE-2023-31719 [CRITICAL] CWE-89 CVE-2023-31719: FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin. FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.
nvd
CVE-2026-25938P2CRITICALCVSS 9.8≥ 1.2.8, < 1.2.11v>= 1.2.8, < 1.2.112026-02-09
CVE-2026-25938 [CRITICAL] CWE-290 CVE-2026-25938: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11.
nvd
CVE-2026-25752P2CRITICALCVSS 9.1fixed in 1.2.102026-02-06
CVE-2026-25752 [CRITICAL] CWE-862 CVE-2026-25752: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vu FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communic
nvd
CVE-2025-69970P2CRITICALCVSS 9.3v1.2.72026-02-03
CVE-2025-69970 [CRITICAL] CWE-1188 CVE-2025-69970: FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipme
nvd
CVE-2025-69983P2CRITICALCVSS 9.8v1.2.72026-02-03
CVE-2025-69983 [CRITICAL] CWE-94 CVE-2025-69983: FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise.
nvd
CVE-2026-25951P3HIGHCVSS 7.2fixed in 1.2.112026-02-09
CVE-2026-25951 [HIGH] CWE-22 CVE-2026-25951: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesy
nvd
CVE-2023-31717P3HIGHCVSS 7.5≤ 1.1.122023-09-22
CVE-2023-31717 [HIGH] CWE-89 CVE-2023-31717: A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the da A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.
nvd
CVE-2026-25751P3HIGHCVSS 7.5fixed in 1.2.102026-02-06
CVE-2026-25751 [HIGH] CWE-306 CVE-2026-25751: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credenti
nvd
CVE-2023-31718P3HIGHCVSS 7.5≤ 1.1.122023-09-22
CVE-2023-31718 [HIGH] CWE-98 CVE-2023-31718: FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download. FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
nvd
CVE-2021-45851P3HIGHCVSS 7.5v1.1.32022-03-16
CVE-2021-45851 [HIGH] CWE-918 CVE-2021-45851: A Server-Side Request Forgery (SSRF) attack in FUXA 1.1.3 can be carried out leading to the obtainin A Server-Side Request Forgery (SSRF) attack in FUXA 1.1.3 can be carried out leading to the obtaining of sensitive information from the server's internal environment and services, often potentially leading to the attacker executing commands on the server.
ghsanvdosv
CVE-2023-31716P3HIGHCVSS 7.5≤ 1.1.122023-09-22
CVE-2023-31716 [HIGH] CWE-98 CVE-2023-31716: FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
ghsanvdosv
CVE-2026-43945HIGH≥ 1.2.11, < 1.3.12026-05-26
CVE-2026-43945 [HIGH] CWE-284 FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection **Pre-auth** RCE in FUXA via Logic Bypass Summary A Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its most secure state (Secure Mode
ghsa
Frangoteam Fuxa vulnerabilities | cvebase