FUXA Unauthenticated Exposure of Plaintext Database Credentials

Description

An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

Recommendation

Update the fuxa-server package to the latest compatible version. Followings are version details:

• Affected version(s): <= 1.2.9
• Patched version(s): 1.2.10

References

• GHSA-c5gq-4h56-4mmx
• CVE-2026-25751
• CWE-306
• CWE-312
• CAPEC-310
• OWASP 2021-A4
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• FUXA Unauthenticated Remote Arbitrary Device Tag Write - CVE-2026-25752
• FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass - CVE-2026-43947
• FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue - CVE-2026-43946
• FUXA Unauthenticated Remote Code Execution in Node-RED Integration - CVE-2026-25938

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

fuxa-server