CVE-2026-25951

HIGH

Frangoteam Fuxa < 1.2.11 - Path Traversal

Title source: rule

Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. This vulnerability is fixed in 1.2.11.

References (3)

Scores

CVSS v3 7.2
EPSS 0.0003
EPSS Percentile 9.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-184 CWE-22 CWE-23
Status published

Affected Products (2)

frangoteam/fuxa < 1.2.11
npm/fuxa-server < 1.2.11npm

Timeline

Published Feb 09, 2026
Tracked Since Feb 18, 2026