CVE-2026-25938

Summary

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11.

Affected Software

VendorProductVersion RangeStatus
frangoteamFUXA>= 1.2.8, < 1.2.11affected

Weaknesses

  • CWE-290: CWE-290: Authentication Bypass by Spoofing
  • CWE-306: CWE-306: Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References