Description
Description An authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11.
Recommendation
Update the fuxa-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.2.8, < 1.2.11
- Patched version(s): 1.2.11
References
Related Issues
- FUXA Unauthenticated Remote Code Execution via Admin JWT Minting - CVE-2026-25893
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass - CVE-2026-43947
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
You might also like:
- Tags:
- npm
- fuxa-server
Anything's wrong? Let us know Last updated on February 10, 2026