Critical severityNVD Advisory· Published Feb 9, 2026· Updated Feb 11, 2026
FUXA Unauthenticated Remote Code Execution in Node-RED Integration
CVE-2026-25938
Description
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fuxa-servernpm | >= 1.2.8, < 1.2.11 | 1.2.11 |
Affected products
1- Range: >= 1.2.8, < 1.2.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-v4p5-w6r3-2x4fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25938ghsaADVISORY
- github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336ghsax_refsource_MISCWEB
- github.com/frangoteam/FUXA/releases/tag/v1.2.11ghsax_refsource_MISCWEB
- github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.