CVE 8.6 HIGH

FUXA has a Path Traversal Sanitization Bypass_CVE-2026-25951

February 9, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. This vulnerability is fixed in 1.2.11.

AI Analysis

Path Traversal Sanitization Bypass vulnerability allowing Remote Code Execution (RCE) in FUXA prior to version 1.2.11

Basic Information

ID CVE-2026-25951

Source GitHub_M

Published Feb 9, 2026 at 22:24

Affected Product

Vendor frangoteam

Product FUXA

Version < 1.2.11

Affected Versions frangoteam FUXA < 1.2.11

CWE Classification

CWE-22 CWE-23 CWE-184

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor frangoteam

Product FUXA

Version < 1.2.11

References

{
    "lastseen": "",
    "description": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. This vulnerability is fixed in 1.2.11.",
    "published": "2026-02-09T22:24:25.857Z",
    "modified": "2026-02-09T22:24:25.857Z",
    "type": "cve",
    "title": "FUXA has a Path Traversal Sanitization Bypass",
    "source": "GitHub_M",
    "references": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-68m5-5w2h-h837\nhttps://github.com/frangoteam/FUXA/commit/f7a9f04b2ab97ab5421e4ec4e711c51e9f4b65c8\nhttps://github.com/frangoteam/FUXA/releases/tag/v1.2.11",
    "id": "CVE-2026-25951",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-23",
        "CWE-184"
    ],
    "cvelist": null,
    "sourceData": "frangoteam FUXA < 1.2.11",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FUXA",
    "version": "< 1.2.11",
    "vendor": "frangoteam",
    "ai_description": "Path Traversal Sanitization Bypass vulnerability allowing Remote Code Execution (RCE) in FUXA prior to version 1.2.11",
    "ai_severity": "High",
    "ai_vendor": "frangoteam",
    "ai_product": "FUXA",
    "ai_version": "< 1.2.11",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply