Vendor CVEs
Frangoteam
All CVEs
27 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-13207 | hig | 0.49 | 7.5 | — | Jun 30, 2026 | FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access… | ||
| CVE-2026-47719 | hig | 0.45 | — | 0.00 | Jun 8, 2026 | ## Summary An unauthenticated attacker (Alice) connects to FUXA's Socket.IO endpoint and emits a `device-webapi-request` event whose `property.address` field names an arbitrary URL. FUXA's `DEVICE_WEBAPI_REQUEST` handler at `server/runtime/index.js:296` calls… | ||
| CVE-2026-43947 | hig | 0.39 | — | 0.01 | May 26, 2026 | ### Summary An unauthenticated Remote Code Execution vulnerability exists in FUXA when `secureEnabled` is set to `true`. The `POST /api/runscript` endpoint checks authorization against the stored script's permission by ID, but when `test: true` is set in the request, it… | ||
| CVE-2026-43946 | hig | 0.39 | — | 0.00 | May 26, 2026 | ### Summary An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist. ### Details The issue is caused by the combination of these code paths: - `server/api/apikeys/verify-api-or-token.j… | ||
| CVE-2026-47717 | hig | 0.38 | — | 0.00 | May 27, 2026 | ### Summary The GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled is enabled. ### Details File: `server/api/projects/index.js` ```javascript prjApp.get("/api/project", secureFnc, function(req, res) { … | ||
| CVE-2026-43945 | hig | 0.38 | — | 0.01 | May 26, 2026 | **Pre-auth** RCE in FUXA via Logic Bypass Summary A Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its… | ||
| CVE-2023-33831 | 0.07 | — | 0.14 | Sep 18, 2023 | A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. | |||
| CVE-2023-31719 | 0.05 | — | 0.27 | Sep 21, 2023 | FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin. | |||
| CVE-2025-69985 | 0.03 | — | 0.06 | Feb 24, 2026 | FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote… | |||
| CVE-2023-31718 | 0.03 | — | 0.01 | Sep 21, 2023 | FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download. | |||
| CVE-2023-31716 | 0.03 | — | 0.01 | Sep 21, 2023 | FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log | |||
| CVE-2023-31717 | 0.02 | — | 0.02 | Sep 21, 2023 | A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database. | |||
| CVE-2026-47721 | 0.00 | — | 0.00 | Jun 8, 2026 | ## Summary An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators. ## Details The Scheduler API did not correctly enforce administrator permissions when processing… | |||
| CVE-2026-47720 | 0.00 | — | 0.00 | Jun 8, 2026 | ## Summary The TDengine DAQ storage connector's `escapeTdString` at `server/runtime/storage/tdengine/index.js:10` doubles single quotes but does not escape backslashes. TDengine's SQL parser treats `\'` as a literal single quote inside a string, so a tag id of the form `x\' OR… | |||
| CVE-2026-47718 | 0.00 | — | 0.00 | May 28, 2026 | ### Summary When `secureEnabled=true`, FUXA `1.3.0-2773` still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. ### Details In secure mode, requests with no token or an explicitly invalid token were still able to access protected read… | |||
| CVE-2026-25895 | 0.00 | — | 0.03 | Feb 9, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This… | |||
| CVE-2026-25894 | 0.00 | — | 0.01 | Feb 9, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when… | |||
| CVE-2026-25893 | 0.00 | — | 0.01 | Feb 9, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the… | |||
| CVE-2026-25951 | 0.00 | — | 0.01 | Feb 9, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal… | |||
| CVE-2026-25939 | 0.00 | — | 0.12 | Feb 9, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA… | |||
| CVE-2026-25938 | 0.00 | — | 0.01 | Feb 9, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has… | |||
| CVE-2026-25751 | 0.00 | — | 0.00 | Feb 6, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker… | |||
| CVE-2026-25752 | 0.00 | — | 0.00 | Feb 6, 2026 | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based… | |||
| CVE-2025-69970 | 0.00 | — | 0.00 | Feb 3, 2026 | FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access… | |||
| CVE-2025-69971 | 0.00 | — | 0.02 | Feb 3, 2026 | FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative… | |||
| CVE-2025-69983 | 0.00 | — | 0.00 | Feb 3, 2026 | FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full… | |||
| CVE-2025-69981 | 0.00 | — | 0.01 | Feb 3, 2026 | FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as… |
- risk 0.49cvss 7.5epss —
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access…
- risk 0.45cvss —epss 0.00
## Summary An unauthenticated attacker (Alice) connects to FUXA's Socket.IO endpoint and emits a `device-webapi-request` event whose `property.address` field names an arbitrary URL. FUXA's `DEVICE_WEBAPI_REQUEST` handler at `server/runtime/index.js:296` calls…
- risk 0.39cvss —epss 0.01
### Summary An unauthenticated Remote Code Execution vulnerability exists in FUXA when `secureEnabled` is set to `true`. The `POST /api/runscript` endpoint checks authorization against the stored script's permission by ID, but when `test: true` is set in the request, it…
- risk 0.39cvss —epss 0.00
### Summary An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist. ### Details The issue is caused by the combination of these code paths: - `server/api/apikeys/verify-api-or-token.j…
- risk 0.38cvss —epss 0.00
### Summary The GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled is enabled. ### Details File: `server/api/projects/index.js` ```javascript prjApp.get("/api/project", secureFnc, function(req, res) { …
- risk 0.38cvss —epss 0.01
**Pre-auth** RCE in FUXA via Logic Bypass Summary A Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its…
- CVE-2023-33831Sep 18, 2023risk 0.07cvss —epss 0.14
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
- CVE-2023-31719Sep 21, 2023risk 0.05cvss —epss 0.27
FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.
- CVE-2025-69985Feb 24, 2026risk 0.03cvss —epss 0.06
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote…
- CVE-2023-31718Sep 21, 2023risk 0.03cvss —epss 0.01
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
- CVE-2023-31716Sep 21, 2023risk 0.03cvss —epss 0.01
FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
- CVE-2023-31717Sep 21, 2023risk 0.02cvss —epss 0.02
A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.
- CVE-2026-47721Jun 8, 2026risk 0.00cvss —epss 0.00
## Summary An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators. ## Details The Scheduler API did not correctly enforce administrator permissions when processing…
- CVE-2026-47720Jun 8, 2026risk 0.00cvss —epss 0.00
## Summary The TDengine DAQ storage connector's `escapeTdString` at `server/runtime/storage/tdengine/index.js:10` doubles single quotes but does not escape backslashes. TDengine's SQL parser treats `\'` as a literal single quote inside a string, so a tag id of the form `x\' OR…
- CVE-2026-47718May 28, 2026risk 0.00cvss —epss 0.00
### Summary When `secureEnabled=true`, FUXA `1.3.0-2773` still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. ### Details In secure mode, requests with no token or an explicitly invalid token were still able to access protected read…
- CVE-2026-25895Feb 9, 2026risk 0.00cvss —epss 0.03
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This…
- CVE-2026-25894Feb 9, 2026risk 0.00cvss —epss 0.01
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when…
- CVE-2026-25893Feb 9, 2026risk 0.00cvss —epss 0.01
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the…
- CVE-2026-25951Feb 9, 2026risk 0.00cvss —epss 0.01
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal…
- CVE-2026-25939Feb 9, 2026risk 0.00cvss —epss 0.12
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA…
- CVE-2026-25938Feb 9, 2026risk 0.00cvss —epss 0.01
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has…
- CVE-2026-25751Feb 6, 2026risk 0.00cvss —epss 0.00
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker…
- CVE-2026-25752Feb 6, 2026risk 0.00cvss —epss 0.00
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based…
- CVE-2025-69970Feb 3, 2026risk 0.00cvss —epss 0.00
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access…
- CVE-2025-69971Feb 3, 2026risk 0.00cvss —epss 0.02
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative…
- CVE-2025-69983Feb 3, 2026risk 0.00cvss —epss 0.00
FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full…
- CVE-2025-69981Feb 3, 2026risk 0.00cvss —epss 0.01
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as…