Description
Description An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
Recommendation
Update the fuxa-server package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.2.9
- Patched version(s): 1.2.10
References
Related Issues
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- FUXA Unauthenticated Remote Arbitrary Scheduler Write - CVE-2026-25939
- FUXA Unauthenticated Remote Code Execution in Node-RED Integration - CVE-2026-25938
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- Tags:
- npm
- fuxa-server
Anything's wrong? Let us know Last updated on February 06, 2026