FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API

Severity:: High

Description

Description A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

Recommendation

Update the fuxa-server package to the latest compatible version. Followings are version details:

Affected version(s): <= 1.2.9
Patched version(s): 1.2.10

References

GHSA-88qh-cphv-996c
CVE-2026-25895
CWE-22
CWE-306
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
FUXA Unauthenticated Remote Code Execution via Admin JWT Minting - CVE-2026-25893
FUXA Unauthenticated Remote Arbitrary Device Tag Write - CVE-2026-25752
FUXA Unauthenticated Remote Arbitrary Scheduler Write - CVE-2026-25939

Tags:: npm; fuxa-server

Anything's wrong? Let us know Last updated on February 10, 2026