CVE-2026-47720
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The TDengine DAQ storage connector's escapeTdString at server/runtime/storage/tdengine/index.js:10 doubles single quotes but does not escape backslashes. TDengine's SQL parser treats \' as a literal single quote inside a string, so a tag id of the form x\' OR 1=1-- escapes the first single quote, lets the doubled quote close the string, and appends an injected clause that runs on the TDengine server. An attacker (Alice) sends the crafted sids value through GET /api/daq or the Socket.IO DAQ_QUERY event and reads every row in fuxa.meters, which holds the historical tag values of every PLC the FUXA instance records.
Details
The TDengine DAQ storage connector did not correctly sanitize user-controlled values before including them in SQL queries.
A specially crafted tag identifier could bypass the intended escaping logic and alter the query executed against the TDengine database.
This could allow unauthorized access to historical DAQ data stored in TDengine, including recorded tag values and related metadata.
The issue has been fixed in version 1.3.2 by improving input escaping in the TDengine connector.
Impact
An attacker with network access to a FUXA instance configured with TDengine as the DAQ backend reads the entire historical tag-value archive: every PLC tag the instance has recorded, plus the associated device ids and device names. Turning on authentication does not close the gap: the Socket.IO DAQ_QUERY handler has no authorization check, and /api/daq accepts guest-level requests. No login is needed in the default configuration.
CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Medium, 5.3). CWE-89. --- A fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.
--- *Found by aisafe.io*
AnalysisAI
SQL injection in FUXA's TDengine DAQ storage connector allows unauthenticated remote attackers to read the complete historical PLC tag archive from any FUXA instance using TDengine as its storage backend. The flaw resides in escapeTdString (server/runtime/storage/tdengine/index.js:10), which doubles single quotes but fails to escape backslashes — enabling backslash-bypass injection via the sids parameter on GET /api/daq or the Socket.IO DAQ_QUERY event. Critically, enabling FUXA's own authentication layer does not close this gap: the Socket.IO handler carries no authorization check and the REST endpoint accepts guest-level requests by design, meaning the authentication bypass and SQLi are compounding issues. No public exploit identified at time of analysis; vendor-released fix confirmed in v1.3.2.
Same weakness CWE-89 – SQL Injection
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-h9fj-c2qr-76g2