243 matches found
FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass
FUXA v1.2.7 contains a hardcoded credentials vulnerability caused by use of a hard-coded secret key in server/api/jwt-helper.js, letting remote attackers forge admin tokens and bypass authentication, exploit requires no special conditions. id: CVE-2025-69971 info: name: FUXA = 1.2.7 - Hardcoded J...
FUXA - Unauthenticated Remote Code Execution
A remote command execution RCE vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. id: CVE-2023-33831 info: name: FUXA - Unauthenticated Remote Code Execution author: gy741 severity: critical description: | A remot...
CVE-2026-13207
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by...
EUVD-2026-40409
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by...
CVE-2026-13207
The CVE refers to FUXA prior to 1.3.2 with an authentication bypass in the REST API caused by improper normalization of dot-segments in the router. Prefixing paths with dot-segments (e.g., /api/./users, /api/./roles, /api/project/../users) can bypass authentication and expose protected data such ...
CVE-2026-13207 Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by...
VulnCheck KEV: CVE-2026-25939
FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on...
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass
Summary An unauthenticated Remote Code Execution vulnerability exists in FUXA when secureEnabled is set to true. The POST /api/runscript endpoint checks authorization against the stored script's permission by ID, but when test: true is set in the request, it compiles and executes attacker-supplie...
GHSA-RG3M-CFQ7-G6H6 FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass
Summary An unauthenticated Remote Code Execution vulnerability exists in FUXA when secureEnabled is set to true. The POST /api/runscript endpoint checks authorization against the stored script's permission by ID, but when test: true is set in the request, it compiles and executes attacker-supplie...
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
Summary An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist. Details The issue is caused by the combination of these code paths: - server/api/apikeys/verify-api-or-token.js:45 sends requests without x-api-k...
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
Pre-auth RCE in FUXA via Logic Bypass Summary A Critical vulnerability chain exists in FUXA v.1.3.0-2706 that allows an unauthenticated remote attacker to achieve Full Remote Code Execution RCE as root. The exploit succeeds even when the platform is configured in its most secure state Secure Mode...
GHSA-P69W-MMFV-XRFJ FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
Pre-auth RCE in FUXA via Logic Bypass Summary A Critical vulnerability chain exists in FUXA v.1.3.0-2706 that allows an unauthenticated remote attacker to achieve Full Remote Code Execution RCE as root. The exploit succeeds even when the platform is configured in its most secure state Secure Mode...
CVE-2026-47717
creationtimestamp| type| source ---|---|--- 2026-05-26 16:06:13+00:00| published-proof-of-concept| https://github.com/frangoteam/FUXA/security/advisories/GHSA-q3w6-q3hc-c5x6 2026-06-18 02:57:08+00:00| confirmed|...
PT-2026-43445
Pre-auth RCE in FUXA via Logic Bypass Summary A Critical vulnerability chain exists in FUXA v.1.3.0-2706 that allows an unauthenticated remote attacker to achieve Full Remote Code Execution RCE as root. The exploit succeeds even when the platform is configured in its most secure state Secure Mode...
PT-2026-43447
Summary An unauthenticated Remote Code Execution vulnerability exists in FUXA when secureEnabled is set to true. The POST /api/runscript endpoint checks authorization against the stored script's permission by ID, but when test: true is set in the request, it compiles and executes attacker-supplie...
📄 FUXA 1.2.9 Remote Code Execution
FUXA versions 1.2.9 and below suffers from an unauthenticated path traversal vulnerability that leads to arbitrary file write that enables remote code execution. Exploit Title: FUXA 1.2.9 - RCE Date: 4/24/2026 Exploit Author: Anthony Cihan Hann1bl3L3ct3r Vendor Homepage:...
FUXA 1.2.9 - RCE
Exploit Title: FUXA 1.2.9 - RCE Date: 4/24/2026 Exploit Author: Anthony Cihan Hann1bl3L3ct3r Vendor Homepage: https://github.com/frangoteam/FUXA Version: Arbitrary File Write - RCE Affected: FUXA makes Node's path.resolve climb out of appDir to anywhere the FUXA process can write. fullPath/fileNa...
Exploit for Authentication Bypass Using an Alternate Path or Channel in Frangoteam Fuxa
CVE-2025-69985: Exploit para Autenticación Bypass a RCE en FUX...
Exploit for Authentication Bypass Using an Alternate Path or Channel in Frangoteam Fuxa
CVE-2025-69985: FUXA ≤ 1.2.8 Authentication Bypass + RCE Explo...
FUXA 1.2.8 - Authentication Bypass + RCE Exploit
Exploit Title: FUXA 1.2.8 - Authentication Bypass + RCE Exploit Date: 2026-02-25 Exploit Author: Joshua van der Poll https://github.com/joshuavanderpoll/ Software Link: https://github.com/frangoteam/FUXA/tree/v1.2.8 Vendor Homepage: https://github.com/frangoteam/FUXA Version: FUXA 1.2.8. Do not u...