Impact
A path traversal flaw in the FUXA upload API allows an unauthenticated, remote attacker to write files to arbitrary locations on the server filesystem. The CVE description stops short of stating that such writes lead to remote code execution, but the ability to create or overwrite arbitrary files introduces the potential for malicious payloads to be introduced into the application environment.
Affected Systems
The vulnerability is present in all releases of FUXA up to and including version 1.2.9. The affected platform is the FUXA web‑based process visualization tool developed by frangoteam. Version 1.2.10, released in the vendor’s updates, contains a patch that resolves the path traversal issue.
Risk and Exploitability
The CVSS score of 9.5 indicates a high impact severity. The EPSS score is 0.02675, a very low probability of exploitation in the wild, yet the flaw is unauthenticated and requires only a simple HTTP request to the upload endpoint. It is not listed in the CISA KEV catalog. While the description does not confirm exploitation of arbitrary files, the capability to write to any location on the server exposes the system to potential compromise, especially if the uploaded files are later executed or served by the application.
OpenCVE Enrichment
Github GHSA