Description
An authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This vulnerability affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11.
Recommendation
Update the fuxa-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.2.8, < 1.2.11
- Patched version(s): 1.2.11
References
Related Issues
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- FUXA Unauthenticated Remote Arbitrary Device Tag Write - CVE-2026-25752
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- FUXA Unauthenticated Remote Code Execution via Admin JWT Minting - CVE-2026-25893
- Tags:
- npm
- fuxa-server
Anything's wrong? Let us know Last updated on February 10, 2026