CVE-2026-25951
HIGH
GHSA-68m5-5w2h-h837
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. This vulnerability is fixed in 1.2.11.
Analysis
Remote code execution in FUXA prior to 1.2.11 allows authenticated administrators to bypass path traversal protections using nested directory sequences, enabling arbitrary file writes to the server filesystem. An attacker with admin privileges can inject malicious scripts into runtime directories that execute when the server reloads, achieving complete system compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all FUXA installations and document current versions. Within 7 days: upgrade all instances to version 1.2.11 or later, prioritizing production environments. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today