CVE-2025-69981

CRITICAL

Frangoteam Fuxa - Unrestricted File Upload

Title source: rule

Description

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.

References (1)

[Product] https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js#L193

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 19.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (2)

frangoteam/fuxa 1.2.7

npm/fuxa-server 0npm

Published Feb 03, 2026

Tracked Since Feb 18, 2026