High severityNVD Advisory· Published Feb 9, 2026· Updated Feb 11, 2026
FUXA has a Path Traversal Sanitization Bypass
CVE-2026-25951
Description
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. This vulnerability is fixed in 1.2.11.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fuxa-servernpm | < 1.2.11 | 1.2.11 |
Affected products
1- Range: < 1.2.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-68m5-5w2h-h837ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25951ghsaADVISORY
- github.com/frangoteam/FUXA/commit/3ecce46333ed33e3f66f378e38e317cde702b0aeghsaWEB
- github.com/frangoteam/FUXA/commit/f7a9f04b2ab97ab5421e4ec4e711c51e9f4b65c8ghsax_refsource_MISCWEB
- github.com/frangoteam/FUXA/pull/2177ghsaWEB
- github.com/frangoteam/FUXA/releases/tag/v1.2.11ghsax_refsource_MISCWEB
- github.com/frangoteam/FUXA/security/advisories/GHSA-68m5-5w2h-h837ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.