Description
Description An authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11.
Recommendation
Update the fuxa-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.2.8, < 1.2.11
- Patched version(s): 1.2.11
References
Related Issues
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- FUXA Unauthenticated Remote Code Execution via Admin JWT Minting - CVE-2026-25893
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- FUXA allows Remote Code Execution (RCE) via the project import functionality. - CVE-2025-69983
- Tags:
- npm
- fuxa-server
Anything's wrong? Let us know Last updated on February 10, 2026