FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
- Severity:
- High
Description
Pre-auth RCE in FUXA via Logic Bypass
Summary
A Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its most secure state (Secure Mode Enabled and Node-RED Secure Auth Enabled).
Recommendation
Update the @frangoteam/fuxa package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.2.11, < 1.3.1
- Patched version(s): 1.3.1
References
- GHSA-p69w-mmfv-xrfj
- CVE-2026-43945
- CWE-284
- CWE-288
- CWE-863
- CWE-94
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- @siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection - CVE-2026-31975
- claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh - CVE-2026-45136
- Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection - CVE-2026-44724
- Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - payload - CVE-2026-34751
You might also like:
- Tags:
- npm
- @frangoteam/fuxa
Anything's wrong? Let us know Last updated on May 26, 2026


