FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
- Severity:
- High
Description
Pre-auth RCE in FUXA via Logic Bypass
Summary
A Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its most secure state (Secure Mode Enabled and Node-RED Secure Auth Enabled).
Recommendation
Update the @frangoteam/fuxa package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.2.11, < 1.3.1
- Patched version(s): 1.3.1
References
- GHSA-p69w-mmfv-xrfj
- CVE-2026-43945
- CWE-284
- CWE-288
- CWE-863
- CWE-94
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- @siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection - CVE-2026-31975
- Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
- FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass - CVE-2026-43947
- claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh - CVE-2026-45136
You might also like:
- Tags:
- npm
- @frangoteam/fuxa
Anything's wrong? Let us know Last updated on May 26, 2026