Description
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.2.7
References
Related Issues
- FUXA contains an insecure default configuration vulnerability - CVE-2025-69970
- FUXA contains a hard-coded credential vulnerability - CVE-2025-69971
- FUXA local file inclusion vulnerability - CVE-2023-31718
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- Tags:
- npm
- fuxa-server
Anything's wrong? Let us know Last updated on February 10, 2026