CVE-2026-25938
CRITICALFUXA 1.2.8-1.2.10 - Unauthenticated Remote Code Execution via Node-RED Plugin
Title source: llmDescription
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f
Patch x_refsource_misc
https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336
Release Notes x_refsource_misc
https://github.com/frangoteam/FUXA/releases/tag/v1.2.11
Scores
CVSS v3
9.8
EPSS
0.0098
EPSS Percentile
57.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-290
CWE-306
Status
published
Products (2)
frangoteam/fuxa
1.2.8 - 1.2.11
npm/fuxa-server
1.2.8 - 1.2.11npm
Published
Feb 09, 2026
Tracked Since
Feb 18, 2026