← volver
CVE-2026-25895

FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API

CVSS 9.5 CRITICALEPSS 2.7%CWE-22CWE-306
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Productos afectados
frangoteam · FUXA
PoCs públicas encontradas2
githubgithub.com/Hann1bl3L3ct3r/FUXAPWN0exploitdbwww.exploit-db.com/exploits/52568no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/frangoteam/FUXA/commit/22c2192f5d9beef8a787c45eff3a14c24dbb5f96https://github.com/frangoteam/FUXA/releases/tag/v1.2.10https://github.com/frangoteam/FUXA/security/advisories/GHSA-88qh-cphv-996c