Skip to main content

CVE-2026-47720

MEDIUM
SQL Injection (CWE-89)
2026-06-08 https://github.com/frangoteam/FUXA GHSA-h9fj-c2qr-76g2
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 08, 2026 - 23:40 vuln.today
Analysis Generated
Jun 08, 2026 - 23:40 vuln.today

DescriptionGitHub Advisory

Summary

The TDengine DAQ storage connector's escapeTdString at server/runtime/storage/tdengine/index.js:10 doubles single quotes but does not escape backslashes. TDengine's SQL parser treats \' as a literal single quote inside a string, so a tag id of the form x\' OR 1=1-- escapes the first single quote, lets the doubled quote close the string, and appends an injected clause that runs on the TDengine server. An attacker (Alice) sends the crafted sids value through GET /api/daq or the Socket.IO DAQ_QUERY event and reads every row in fuxa.meters, which holds the historical tag values of every PLC the FUXA instance records.

Details

The TDengine DAQ storage connector did not correctly sanitize user-controlled values before including them in SQL queries.

A specially crafted tag identifier could bypass the intended escaping logic and alter the query executed against the TDengine database.

This could allow unauthorized access to historical DAQ data stored in TDengine, including recorded tag values and related metadata.

The issue has been fixed in version 1.3.2 by improving input escaping in the TDengine connector.

Impact

An attacker with network access to a FUXA instance configured with TDengine as the DAQ backend reads the entire historical tag-value archive: every PLC tag the instance has recorded, plus the associated device ids and device names. Turning on authentication does not close the gap: the Socket.IO DAQ_QUERY handler has no authorization check, and /api/daq accepts guest-level requests. No login is needed in the default configuration.

CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Medium, 5.3). CWE-89. --- A fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.

--- *Found by aisafe.io*

AnalysisAI

SQL injection in FUXA's TDengine DAQ storage connector allows unauthenticated remote attackers to read the complete historical PLC tag archive from any FUXA instance using TDengine as its storage backend. The flaw resides in escapeTdString (server/runtime/storage/tdengine/index.js:10), which doubles single quotes but fails to escape backslashes — enabling backslash-bypass injection via the sids parameter on GET /api/daq or the Socket.IO DAQ_QUERY event. Critically, enabling FUXA's own authentication layer does not close this gap: the Socket.IO handler carries no authorization check and the REST endpoint accepts guest-level requests by design, meaning the authentication bypass and SQLi are compounding issues. No public exploit identified at time of analysis; vendor-released fix confirmed in v1.3.2.

Share

CVE-2026-47720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy