Critical severityNVD Advisory· Published Feb 9, 2026· Updated Feb 11, 2026

FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration

CVE-2026-25894

Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
fuxa-servernpm	< 1.2.10	1.2.10

Affected products

Frangoteam/Fuxav5
Range: < 1.2.10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-32cc-x95p-fxcgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-25894ghsaADVISORY
github.com/frangoteam/FUXA/commit/ea7b3df066f9fdef8ecdce318398ae40546bc50dghsax_refsource_MISCWEB
github.com/frangoteam/FUXA/releases/tag/v1.2.10ghsax_refsource_MISCWEB
github.com/frangoteam/FUXA/security/advisories/GHSA-32cc-x95p-fxcgghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000