Skip to main content

Fuxa Scada Hmi

1 CVEs product

Monthly

CVE-2026-13207 HIGH CISA Act Now

Authentication bypass in FUXA SCADA/HMI versions 1.3.1 and prior lets remote unauthenticated attackers reach protected REST API endpoints by inserting dot-segment sequences (e.g. /api/./users, /api/project/../users) that the router fails to normalize before applying its authentication middleware. Successful exploitation returns sensitive user and role data without any credentials. No public exploit identified at time of analysis, though the technique is trivially reproducible and the issue is documented in a CISA ICS advisory (ICSA-26-181-02).

Authentication Bypass Fuxa Scada Hmi
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
EPSS 0% CVSS 8.7
HIGH Act Now

Authentication bypass in FUXA SCADA/HMI versions 1.3.1 and prior lets remote unauthenticated attackers reach protected REST API endpoints by inserting dot-segment sequences (e.g. /api/./users, /api/project/../users) that the router fails to normalize before applying its authentication middleware. Successful exploitation returns sensitive user and role data without any credentials. No public exploit identified at time of analysis, though the technique is trivially reproducible and the issue is documented in a CISA ICS advisory (ICSA-26-181-02).

Authentication Bypass Fuxa Scada Hmi
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy