FUXA Unauthenticated Remote Arbitrary Device Tag Write

Description

Description An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

Recommendation

Update the fuxa-server package to the latest compatible version. Followings are version details:

• Affected version(s): <= 1.2.9
• Patched version(s): 1.2.10

References

• GHSA-ggxw-g3cp-mgf8
• CVE-2026-25752
• CWE-862
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• FUXA Unauthenticated Remote Arbitrary Scheduler Write - CVE-2026-25939
• FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
• FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue - CVE-2026-43946
• FUXA Unauthenticated Remote Code Execution via Admin JWT Minting - CVE-2026-25893

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

fuxa-server