FUXA contains an insecure default configuration vulnerability

Description

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The ‘secureEnabled’ flag is commented out by default, causing the application to initialize with authentication disabled.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.2.7

References

• GHSA-r5m2-fqcf-qrf7
• CVE-2025-69970
• CWE-1188
• CWE-306
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• FUXA contains an Unrestricted File Upload vulnerability - CVE-2025-69981
• FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
• Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-15104
• FUXA allows Remote Code Execution (RCE) via the project import functionality. - CVE-2025-69983

You might also like:

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Exploiting Server Version Disclosure

Tags:

npm

fuxa-server