FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue

Description

An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist.

Recommendation

Update the fuxa-server package to the latest compatible version. Followings are version details:

• Affected version(s): = 1.3.0
• Patched version(s): 1.3.1

References

• GHSA-fwcm-rqvw-j3p7
• CVE-2026-43946
• CWE-863
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
• FUXA Unauthenticated Remote Arbitrary Device Tag Write - CVE-2026-25752
• FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass - CVE-2026-43947
• FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894

You might also like:

Exploiting Server Version Disclosure

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

fuxa-server