A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA
- Severity:
- High
Description
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.1.13
References
Related Issues
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- Astro allows unauthorized third-party images in _image endpoint (GHSA-xf8x-j4p2-f749) - CVE-2025-55303
- Astros's duplicate trailing slash feature leads to an open redirection security issue - CVE-2025-54793
- FUXA vulnerable to Local File Inclusion - CVE-2023-31716
- Tags:
- npm
- @frangoteam/fuxa
Anything's wrong? Let us know Last updated on November 11, 2023