CVE 9.5 CRITICAL

FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API_CVE-2026-25895

February 9, 2026 invoker category_cve

9.5 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

AI Analysis

Unauthenticated remote code execution via arbitrary file write in Upload API

Basic Information

ID CVE-2026-25895

Source GitHub_M

Published Feb 9, 2026 at 22:29

Modified Feb 9, 2026 at 22:30

Affected Product

Vendor frangoteam

Product FUXA

Version < 1.2.10

Affected Versions frangoteam FUXA < 1.2.10

CWE Classification

CWE-22 CWE-306

AI Assessment

AI Score 9.5 / 10

AI Severity Critical

Vendor frangoteam

Product FUXA

Version < 1.2.10

References

{
    "lastseen": "",
    "description": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.",
    "published": "2026-02-09T22:29:48.203Z",
    "modified": "2026-02-09T22:30:05.359Z",
    "type": "cve",
    "title": "FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API",
    "source": "GitHub_M",
    "references": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-88qh-cphv-996c\nhttps://github.com/frangoteam/FUXA/commit/22c2192f5d9beef8a787c45eff3a14c24dbb5f96\nhttps://github.com/frangoteam/FUXA/releases/tag/v1.2.10",
    "id": "CVE-2026-25895",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "frangoteam FUXA < 1.2.10",
    "sourceHref": "",
    "cvss": {
        "score": 9.5,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FUXA",
    "version": "< 1.2.10",
    "vendor": "frangoteam",
    "ai_description": "Unauthenticated remote code execution via arbitrary file write in Upload API",
    "ai_severity": "Critical",
    "ai_vendor": "frangoteam",
    "ai_product": "FUXA",
    "ai_version": "< 1.2.10",
    "ai_score": 9.5
}

💭 Join the Security Discussion ❌ Cancel Reply