CVE-2026-25938

Name of the Vulnerable Software and Affected Versions FUXA versions 1.2.8 through 1.2.10

Description FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authentication bypass in FUXA allows a remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. The issue stems from a failure to verify JWT tokens on proxied routes. Exploitation involves sending a crafted request to the /nodered/flows API endpoint, bypassing authentication checks and granting administrative access to the Node-RED deployment API. Submitting a malicious flow configuration can then lead to arbitrary code execution in the context of the FUXA service.

Recommendations Update FUXA to version 1.2.11 or later.