Search criteria

9 vulnerabilities by Frangoteam

CVE-2026-13207 (GCVE-0-2026-13207)

Vulnerability from cvelistv5 – Published: 2026-06-30 20:24 – Updated: 2026-07-01 15:38
VLAI?
Title
Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing
Summary
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.
CWE
  • CWE-290 - Authentication bypass by spoofing
Assigner
Impacted products
Vendor Product Version
Frangoteam FUXA SCADA/HMI Affected: 0 , ≤ 1.3.1 (custom)
Unaffected: 1.3.2
Create a notification for this product.
Credits
Joshua Hayes of Cited Relevance LLC reported this vulnerability to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-13207",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T15:38:13.509978Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T15:38:21.816Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "FUXA SCADA/HMI",
          "vendor": "Frangoteam",
          "versions": [
            {
              "lessThanOrEqual": "1.3.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.3.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Joshua Hayes of Cited Relevance LLC reported this vulnerability to CISA."
        }
      ],
      "datePublic": "2026-06-30T17:20:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials."
            }
          ],
          "value": "FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290 Authentication bypass by spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T20:24:33.449Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://github.com/frangoteam/FUXA/releases"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-02"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-02.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Frangoteam recommends users apply the latest version of FUXA 1.3.2 or later https://github.com/frangoteam/FUXA/releases.\u003cbr\u003e\u003ca href=\"https://github.com/frangoteam/FUXA/releases\"\u003ehttps://github.com/frangoteam/FUXA/releases\u003c/a\u003e"
            }
          ],
          "value": "Frangoteam recommends users apply the latest version of FUXA 1.3.2 or later https://github.com/frangoteam/FUXA/releases.\n https://github.com/frangoteam/FUXA/releases"
        }
      ],
      "source": {
        "advisory": "ICSA-26-181-02",
        "discovery": "EXTERNAL"
      },
      "title": "Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-13207",
    "datePublished": "2026-06-30T20:24:33.449Z",
    "dateReserved": "2026-06-24T14:31:56.877Z",
    "dateUpdated": "2026-07-01T15:38:21.816Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25895 (GCVE-0-2026-25895)

Vulnerability from cvelistv5 – Published: 2026-02-09 22:29 – Updated: 2026-02-11 21:24
VLAI?
Title
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API
Summary
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-306 - Missing Authentication for Critical Function
Assigner
Impacted products
Vendor Product Version
frangoteam FUXA Affected: < 1.2.10
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25895",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T21:24:43.519834Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T21:24:49.202Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FUXA",
          "vendor": "frangoteam",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T22:30:05.359Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-88qh-cphv-996c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-88qh-cphv-996c"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/commit/22c2192f5d9beef8a787c45eff3a14c24dbb5f96",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/commit/22c2192f5d9beef8a787c45eff3a14c24dbb5f96"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10"
        }
      ],
      "source": {
        "advisory": "GHSA-88qh-cphv-996c",
        "discovery": "UNKNOWN"
      },
      "title": "FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25895",
    "datePublished": "2026-02-09T22:29:48.203Z",
    "dateReserved": "2026-02-06T21:08:39.130Z",
    "dateUpdated": "2026-02-11T21:24:49.202Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25894 (GCVE-0-2026-25894)

Vulnerability from cvelistv5 – Published: 2026-02-09 22:28 – Updated: 2026-02-11 21:25
VLAI?
Title
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
Summary
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
CWE
  • CWE-321 - Use of Hard-coded Cryptographic Key
  • CWE-1188 - Insecure Default Initialization of Resource
Assigner
Impacted products
Vendor Product Version
frangoteam FUXA Affected: < 1.2.10
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25894",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T21:25:11.880678Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T21:25:17.858Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FUXA",
          "vendor": "frangoteam",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-321",
              "description": "CWE-321: Use of Hard-coded Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188: Insecure Default Initialization of Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T22:28:46.316Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-32cc-x95p-fxcg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-32cc-x95p-fxcg"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/commit/ea7b3df066f9fdef8ecdce318398ae40546bc50d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/commit/ea7b3df066f9fdef8ecdce318398ae40546bc50d"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10"
        }
      ],
      "source": {
        "advisory": "GHSA-32cc-x95p-fxcg",
        "discovery": "UNKNOWN"
      },
      "title": "FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25894",
    "datePublished": "2026-02-09T22:28:46.316Z",
    "dateReserved": "2026-02-06T21:08:39.130Z",
    "dateUpdated": "2026-02-11T21:25:17.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25893 (GCVE-0-2026-25893)

Vulnerability from cvelistv5 – Published: 2026-02-09 22:26 – Updated: 2026-02-11 21:25
VLAI?
Title
FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
Summary
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10.
CWE
Assigner
Impacted products
Vendor Product Version
frangoteam FUXA Affected: < 1.2.10
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25893",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T21:25:37.043207Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T21:25:42.412Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FUXA",
          "vendor": "frangoteam",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T22:26:45.351Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-vwcg-c828-9822",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-vwcg-c828-9822"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/commit/fe82348d160904d0013b9a3e267d50158f5c7afb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/commit/fe82348d160904d0013b9a3e267d50158f5c7afb"
        }
      ],
      "source": {
        "advisory": "GHSA-vwcg-c828-9822",
        "discovery": "UNKNOWN"
      },
      "title": "FUXA Unauthenticated Remote Code Execution via Admin JWT Minting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25893",
    "datePublished": "2026-02-09T22:26:45.351Z",
    "dateReserved": "2026-02-06T21:08:39.130Z",
    "dateUpdated": "2026-02-11T21:25:42.412Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25951 (GCVE-0-2026-25951)

Vulnerability from cvelistv5 – Published: 2026-02-09 22:24 – Updated: 2026-02-11 21:24
VLAI?
Title
FUXA has a Path Traversal Sanitization Bypass
Summary
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. This vulnerability is fixed in 1.2.11.
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-23 - Relative Path Traversal
  • CWE-184 - Incomplete List of Disallowed Inputs
Assigner
Impacted products
Vendor Product Version
frangoteam FUXA Affected: < 1.2.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25951",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T21:24:12.867570Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T21:24:18.690Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FUXA",
          "vendor": "frangoteam",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. This vulnerability is fixed in 1.2.11."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184: Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T22:24:25.857Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-68m5-5w2h-h837",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-68m5-5w2h-h837"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/commit/f7a9f04b2ab97ab5421e4ec4e711c51e9f4b65c8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/commit/f7a9f04b2ab97ab5421e4ec4e711c51e9f4b65c8"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11"
        }
      ],
      "source": {
        "advisory": "GHSA-68m5-5w2h-h837",
        "discovery": "UNKNOWN"
      },
      "title": "FUXA has a Path Traversal Sanitization Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25951",
    "datePublished": "2026-02-09T22:24:25.857Z",
    "dateReserved": "2026-02-09T17:13:54.065Z",
    "dateUpdated": "2026-02-11T21:24:18.690Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25939 (GCVE-0-2026-25939)

Vulnerability from cvelistv5 – Published: 2026-02-09 22:21 – Updated: 2026-02-11 21:21
VLAI?
Title
FUXA Unauthenticated Remote Arbitrary Scheduler Write
Summary
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11.
CWE
Assigner
Impacted products
Vendor Product Version
frangoteam FUXA Affected: < 1.2.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25939",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T21:20:59.922955Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T21:21:07.816Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FUXA",
          "vendor": "frangoteam",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, \nan authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T22:21:03.611Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-c869-jx4c-q5fc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-c869-jx4c-q5fc"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/commit/5782b35117a9bd14ffcb881f8dfb8c6680157d9b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/commit/5782b35117a9bd14ffcb881f8dfb8c6680157d9b"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11"
        }
      ],
      "source": {
        "advisory": "GHSA-c869-jx4c-q5fc",
        "discovery": "UNKNOWN"
      },
      "title": "FUXA Unauthenticated Remote Arbitrary Scheduler Write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25939",
    "datePublished": "2026-02-09T22:21:03.611Z",
    "dateReserved": "2026-02-09T16:22:17.787Z",
    "dateUpdated": "2026-02-11T21:21:07.816Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25938 (GCVE-0-2026-25938)

Vulnerability from cvelistv5 – Published: 2026-02-09 22:18 – Updated: 2026-02-11 21:22
VLAI?
Title
FUXA Unauthenticated Remote Code Execution in Node-RED Integration
Summary
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11.
CWE
  • CWE-290 - Authentication Bypass by Spoofing
  • CWE-306 - Missing Authentication for Critical Function
Assigner
Impacted products
Vendor Product Version
frangoteam FUXA Affected: >= 1.2.8, < 1.2.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25938",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T21:22:14.141150Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T21:22:19.452Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FUXA",
          "vendor": "frangoteam",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.2.8, \u003c 1.2.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290: Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T22:18:15.774Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11"
        }
      ],
      "source": {
        "advisory": "GHSA-v4p5-w6r3-2x4f",
        "discovery": "UNKNOWN"
      },
      "title": "FUXA Unauthenticated Remote Code Execution in Node-RED Integration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25938",
    "datePublished": "2026-02-09T22:18:15.774Z",
    "dateReserved": "2026-02-09T16:22:17.786Z",
    "dateUpdated": "2026-02-11T21:22:19.452Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25751 (GCVE-0-2026-25751)

Vulnerability from cvelistv5 – Published: 2026-02-06 19:07 – Updated: 2026-02-09 15:28
VLAI?
Title
FUXA Unauthenticated Exposure of Plaintext Database Credentials
Summary
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
CWE
  • CWE-306 - Missing Authentication for Critical Function
  • CWE-312 - Cleartext Storage of Sensitive Information
Assigner
Impacted products
Vendor Product Version
frangoteam FUXA Affected: < 1.2.10
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25751",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-09T15:19:28.783723Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-09T15:28:22.521Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FUXA",
          "vendor": "frangoteam",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312: Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T19:07:17.314Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10"
        }
      ],
      "source": {
        "advisory": "GHSA-c5gq-4h56-4mmx",
        "discovery": "UNKNOWN"
      },
      "title": "FUXA Unauthenticated Exposure of Plaintext Database Credentials"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25751",
    "datePublished": "2026-02-06T19:07:17.314Z",
    "dateReserved": "2026-02-05T18:35:52.356Z",
    "dateUpdated": "2026-02-09T15:28:22.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25752 (GCVE-0-2026-25752)

Vulnerability from cvelistv5 – Published: 2026-02-06 19:05 – Updated: 2026-02-09 15:28
VLAI?
Title
FUXA Unauthenticated Remote Arbitrary Device Tag Write
Summary
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
CWE
Assigner
Impacted products
Vendor Product Version
frangoteam FUXA Affected: < 1.2.10
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25752",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-09T15:22:51.681500Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-09T15:28:27.869Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FUXA",
          "vendor": "frangoteam",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T19:05:57.771Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-ggxw-g3cp-mgf8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-ggxw-g3cp-mgf8"
        },
        {
          "name": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10"
        }
      ],
      "source": {
        "advisory": "GHSA-ggxw-g3cp-mgf8",
        "discovery": "UNKNOWN"
      },
      "title": "FUXA Unauthenticated Remote Arbitrary Device Tag Write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25752",
    "datePublished": "2026-02-06T19:05:57.771Z",
    "dateReserved": "2026-02-05T18:35:52.356Z",
    "dateUpdated": "2026-02-09T15:28:27.869Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}