FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations
- Severity:
- High
Description
The GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled is enabled.
Recommendation
Update the fuxa-server package to the latest compatible version. Followings are version details:
- Affected version(s): = 1.3.0
- Patched version(s): 1.3.1
References
Related Issues
- FUXA Unauthenticated Remote Arbitrary Device Tag Write - CVE-2026-25752
- FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue - CVE-2026-43946
- FUXA Unauthenticated Remote Code Execution via Admin JWT Minting - CVE-2026-25893
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
You might also like:
- Tags:
- npm
- fuxa-server
Anything's wrong? Let us know Last updated on May 27, 2026