FUXA allows Remote Code Execution (RCE) via the project import functionality.

Description

FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.2.7

References

• GHSA-5r63-q8hg-p8qx
• CVE-2025-69983
• CWE-78
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
• FUXA Unauthenticated Remote Code Execution via Admin JWT Minting - CVE-2026-25893
• FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
• JSONPath Plus allows Remote Code Execution - CVE-2025-1302

Tags:

npm

fuxa-server