FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass

Description

An unauthenticated Remote Code Execution vulnerability exists in FUXA when secureEnabled is set to true. The POST /api/runscript endpoint checks authorization against the stored script’s permission by ID, but when test: true is set in the request, it compiles and executes attacker-supplied code instead of the stored script’s code.

Recommendation

Update the fuxa-server package to the latest compatible version. Followings are version details:

• Affected version(s): = 1.3.0
• Patched version(s): 1.3.1

References

• GHSA-rg3m-cfq7-g6h6
• CVE-2026-43947
• CWE-863
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - paperclipai - CVE-2026-41679
• paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - CVE-2026-41679
• FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
• FUXA Unauthenticated Remote Code Execution via Admin JWT Minting - CVE-2026-25893

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

fuxa-server