CVE-2025-69981

CRITICAL

FUXA v1.2.7 - Unauthenticated Unrestricted File Upload via /api/upload Endpoint

Title source: llm

Description

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.

References (1)

Core 1

Core References

Product

https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js#L193

Scores

CVSS v3 9.8

EPSS 0.0073

EPSS Percentile 49.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (2)

frangoteam/fuxa 1.2.7

npm/fuxa-server 0npm

Published Feb 03, 2026

Tracked Since Feb 18, 2026