fuxa-server
npm22 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting fuxa-serverpage 1 of 1
- CVE-2023-31717HIGHCVSS 7.5EG 7.52023-09-22
A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.
- CVE-2023-31718HIGHCVSS 7.5EG 7.52023-09-22
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
- CVE-2023-31719CRITICALCVSS 9.8EG 9.82023-09-22
FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.
- CVE-2025-69970CRITICALCVSS 9.3EG 9.32026-02-03
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unaut…
- CVE-2025-69971CRITICALCVSS 9.8EG 9.82026-02-03
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authent…
- CVE-2025-69981CRITICALCVSS 9.8EG 9.82026-02-03
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to o…
- CVE-2025-69983CRITICALCVSS 9.8EG 9.82026-02-03
FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project cont…
- CVE-2026-25751HIGHCVSS 7.5EG 7.5✓ Fixed in 1.2.102026-02-06
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation al…
- CVE-2026-25752CRITICALCVSS 9.1EG 9.1✓ Fixed in 1.2.102026-02-06
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated…
- CVE-2026-25893CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.2.102026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh AP…
- CVE-2026-25894CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.2.102026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This aff…
- CVE-2026-25895CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.2.102026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affe…
- CVE-2026-25938CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.2.112026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the…
- CVE-2026-25939CRITICALCVSS 9.1EG 9.1✓ Fixed in 1.2.112026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary sched…
- CVE-2026-25951HIGHCVSS 7.2EG 7.2✓ Fixed in 1.2.112026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protect…
- CVE-2026-43946HIGHCVSS 0.0EG 0.0✓ Fixed in 1.3.12026-05-26
vulnerable: 1.3.0
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue ### Summary An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist. …
- CVE-2026-43947HIGHCVSS 0.0EG 0.0✓ Fixed in 1.3.12026-05-26
vulnerable: 1.3.0
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass ### Summary An unauthenticated Remote Code Execution vulnerability exists in FUXA when `secureEnabled` is set to `true`. The `POST /api/ru…
- CVE-2026-47717HIGHCVSS 7.5EG 7.5✓ Fixed in 1.3.12026-05-27
vulnerable: 1.3.0
FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations ### Summary The GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled…
- CVE-2026-47718MEDIUMCVSS 0.0EG 0.0✓ Fixed in 1.3.12026-05-28
vulnerable: 1.3.0-2773
FUXA provides guest and invalid-token access to protected read APIs in secure mode ### Summary When `secureEnabled=true`, FUXA `1.3.0-2773` still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. #…
- CVE-2026-47719HIGHCVSS 8.2EG 8.22026-06-08
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading ## Summary An unauthenticated attacker (Alice) connects to FUXA's Socket.IO endpoint and emits a `device-webapi-request` event whose…
- CVE-2026-47720MEDIUMCVSS 5.3EG 5.32026-06-08
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString ## Summary The TDengine DAQ storage connector's `escapeTdString` at `server/runtime/storage/tdengine/index.js:10` doubles single quotes but does …
- CVE-2026-47721MEDIUMCVSS 6.3EG 6.32026-06-08
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions ## Summary An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions…
Check whether fuxa-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for fuxa-server CVEs against the assets you own.
Start Free Scan →