npm package
@frangoteam/fuxa
pkg:npm/%40frangoteam/fuxa
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-69985 | — | <= 1.2.8 | — | Feb 24, 2026 | FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthentica | ||
| CVE-2025-69971 | — | < 1.3.0 | 1.3.0 | Feb 3, 2026 | FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative acces | ||
| CVE-2023-31716 | — | <= 1.1.12 | — | Sep 21, 2023 | FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log | ||
| CVE-2023-33831 | — | <= 1.1.13 | — | Sep 18, 2023 | A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. | ||
| CVE-2021-45851 | — | <= 1.1.3 | — | Mar 16, 2022 | A Server-Side Request Forgery (SSRF) attack in FUXA 1.1.3 can be carried out leading to the obtaining of sensitive information from the server's internal environment and services, often potentially leading to the attacker executing commands on the server. |
- CVE-2025-69985Feb 24, 2026affected <= 1.2.8
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthentica
- CVE-2025-69971Feb 3, 2026affected < 1.3.0fixed 1.3.0
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative acces
- CVE-2023-31716Sep 21, 2023affected <= 1.1.12
FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
- CVE-2023-33831Sep 18, 2023affected <= 1.1.13
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
- CVE-2021-45851Mar 16, 2022affected <= 1.1.3
A Server-Side Request Forgery (SSRF) attack in FUXA 1.1.3 can be carried out leading to the obtaining of sensitive information from the server's internal environment and services, often potentially leading to the attacker executing commands on the server.