CVE-2025-69985

Critical CVSS: 9.8

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

Vendor

Frangoteam

Product

Fuxa

CWE

CWE-288

Yayın Tarihi

2026-02-24 16:24:07

Güncelleme

2026-02-26 19:39:20

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-288 Fuxa CRITICAL Frangoteam 2026

Referanslar

https://gist.github.com/lihy10/8cb2dd65ebf1385f12a7e00e25a50d40 https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js

Benzer Kayıtlar

Critical

CVE-2026-25938

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication b…

Critical

CVE-2026-25939

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authori…

High

CVE-2026-25951

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path s…

Critical

CVE-2026-25893

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vuln…

Critical

CVE-2026-25894

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allo…

Critical

CVE-2026-25895

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows…