{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25938", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T16:22:17.786Z", "datePublished": "2026-02-09T22:18:15.774Z", "dateUpdated": "2026-02-11T21:22:19.452Z"}, "containers": {"cna": {"title": "FUXA Unauthenticated Remote Code Execution in Node-RED Integration", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.5, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f"}, {"name": "https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336", "tags": ["x_refsource_MISC"], "url": "https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336"}, {"name": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11"}], "affected": [{"vendor": "frangoteam", "product": "FUXA", "versions": [{"version": ">= 1.2.8, < 1.2.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T22:18:15.774Z"}, "descriptions": [{"lang": "en", "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11."}], "source": {"advisory": "GHSA-v4p5-w6r3-2x4f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T21:22:14.141150Z", "id": "CVE-2026-25938", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:22:19.452Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25938", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T21:22:14.141150Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:22:17.137Z"}}], "cna": {"title": "FUXA Unauthenticated Remote Code Execution in Node-RED Integration", "source": {"advisory": "GHSA-v4p5-w6r3-2x4f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.5, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "frangoteam", "product": "FUXA", "versions": [{"status": "affected", "version": ">= 1.2.8, < 1.2.11"}]}], "references": [{"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f", "name": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336", "name": "https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11", "name": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T22:18:15.774Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25938", "state": "PUBLISHED", "dateUpdated": "2026-02-11T21:22:19.452Z", "dateReserved": "2026-02-09T16:22:17.786Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T22:18:15.774Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frangoteam:fuxa:*:*:*:*:*:*:*:*", "matchCriteriaId": "CCAAE051-0029-45D1-82C7-06B082BC7FD5", "versionEndExcluding": "1.2.11", "versionStartIncluding": "1.2.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11."}], "id": "CVE-2026-25938", "lastModified": "2026-02-13T20:31:47.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.5, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T23:16:06.100", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}, {"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.8,1.2.11)"}}], "product": "fuxa", "vendor": "frangoteam"}], "analysis": {"en": {"generated_at": "2026-04-18T12:56:41.251231+00:00", "value": {"mitigation_remediation": ["Upgrade FUXA to version 1.2.11 or later to receive the patch that fixes the authentication bypass.", "If an upgrade cannot be performed immediately, disable the Node-RED plugin or restrict access so that only authenticated users can invoke it.", "Reconfigure any web server or reverse-proxy that sits in front of FUXA to enforce authentication on all endpoints, ensuring no unauthenticated access to the application."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the FUXA web-based process visualization platform from frangoteam, specifically versions 1.2.8 through 1.2.10 when the Node-RED integration is activated. The issue has been corrected in FUXA 1.2.11 and later releases.", "description_and_impact": "An authentication bypass in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. The vulnerability allows privileged operations without authentication, and it is related to authentication weaknesses as classified by CWE-290 and CWE-306.", "risk_and_exploitability": "The CVSS score of 9.5 indicates a critical severity, with an EPSS score below 1% suggesting a currently low probability of exploitation, though that could rise as the vulnerability becomes widely known. The vulnerability is not listed in the CISA KEV catalog. Attackers can send unauthenticated requests to the FUXA server over the network; if the Node-RED plugin is enabled, the vulnerability permits arbitrary code execution on the host, leading to full system compromise. Defensive measures must therefore focus on patching or disabling the vulnerable component."}}}}, "created": "2026-02-10T11:34:53.745177+00:00", "updated": "2026-04-18T13:00:08.761504+00:00", "vendors": ["frangoteam", "frangoteam$PRODUCT$fuxa"]}