Description
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11.
Published: 2026-02-09
Score: 9.5 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An authentication bypass in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. The vulnerability allows privileged operations without authentication, and it is related to authentication weaknesses as classified by CWE-290 and CWE-306.

Affected Systems

The vulnerability affects the FUXA web-based process visualization platform from frangoteam, specifically versions 1.2.8 through 1.2.10 when the Node-RED integration is activated. The issue has been corrected in FUXA 1.2.11 and later releases.

Risk and Exploitability

The CVSS score of 9.5 indicates a critical severity, with an EPSS score below 1% suggesting a currently low probability of exploitation, though that could rise as the vulnerability becomes widely known. The vulnerability is not listed in the CISA KEV catalog. Attackers can send unauthenticated requests to the FUXA server over the network; if the Node-RED plugin is enabled, the vulnerability permits arbitrary code execution on the host, leading to full system compromise. Defensive measures must therefore focus on patching or disabling the vulnerable component.

Generated by OpenCVE AI on April 18, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FUXA to version 1.2.11 or later to receive the patch that fixes the authentication bypass.
  • If an upgrade cannot be performed immediately, disable the Node-RED plugin or restrict access so that only authenticated users can invoke it.
  • Reconfigure any web server or reverse-proxy that sits in front of FUXA to enforce authentication on all endpoints, ensuring no unauthenticated access to the application.

Generated by OpenCVE AI on April 18, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v4p5-w6r3-2x4f FUXA Unauthenticated Remote Code Execution in Node-RED Integration
History

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frangoteam:fuxa:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Frangoteam
Frangoteam fuxa
Vendors & Products Frangoteam
Frangoteam fuxa

Mon, 09 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11.
Title FUXA Unauthenticated Remote Code Execution in Node-RED Integration
Weaknesses CWE-290
CWE-306
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Frangoteam Fuxa
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-11T21:22:19.452Z

Reserved: 2026-02-09T16:22:17.786Z

Link: CVE-2026-25938

cve-icon Vulnrichment

Updated: 2026-02-11T21:22:17.137Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T23:16:06.100

Modified: 2026-02-13T20:31:47.513

Link: CVE-2026-25938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses