CVE 10 CRITICAL

FUXA Unauthenticated Remote Code Execution via Admin JWT Minting_CVE-2026-25893

February 9, 2026 invoker category_cve

10 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10.

AI Analysis

Unauthenticated remote code execution via admin JWT minting

Basic Information

ID CVE-2026-25893

Source GitHub_M

Published Feb 9, 2026 at 22:26

Affected Product

Vendor frangoteam

Product FUXA

Version < 1.2.10

Affected Versions frangoteam FUXA < 1.2.10

CWE Classification

CWE-285 CWE-287

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor frangoteam

Product FUXA

Version < 1.2.10

References

{
    "lastseen": "",
    "description": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10.",
    "published": "2026-02-09T22:26:45.351Z",
    "modified": "2026-02-09T22:26:45.351Z",
    "type": "cve",
    "title": "FUXA Unauthenticated Remote Code Execution via Admin JWT Minting",
    "source": "GitHub_M",
    "references": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-vwcg-c828-9822\nhttps://github.com/frangoteam/FUXA/commit/fe82348d160904d0013b9a3e267d50158f5c7afb",
    "id": "CVE-2026-25893",
    "bulletinFamily": "",
    "cwe": [
        "CWE-285",
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "frangoteam FUXA < 1.2.10",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FUXA",
    "version": "< 1.2.10",
    "vendor": "frangoteam",
    "ai_description": "Unauthenticated remote code execution via admin JWT minting",
    "ai_severity": "Critical",
    "ai_vendor": "frangoteam",
    "ai_product": "FUXA",
    "ai_version": "< 1.2.10",
    "ai_score": 10
}

💭 Join the Security Discussion ❌ Cancel Reply