Description
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The ‘secureEnabled’ flag is commented out by default, causing the application to initialize with authentication disabled.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.2.7
References
Related Issues
- FUXA contains an Unrestricted File Upload vulnerability - CVE-2025-69981
- FUXA contains a hard-coded credential vulnerability - CVE-2025-69971
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- FUXA SQL Injection vulnerability (GHSA-p46g-8c3q-89p2) - CVE-2023-31719
- Tags:
- npm
- fuxa-server
Anything's wrong? Let us know Last updated on February 10, 2026