Search for packages
| purl | pkg:npm/fuxa-server@1.2.7 |
| Tags | Ghost |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-869p-p732-pfey
Aliases: GHSA-2r8f-cf6w-x5vq |
Duplicate Advisory: FUXA contains a hard-coded credential vulnerability | There are no reported fixed by versions. |
|
VCID-86dh-h577-1ugk
Aliases: CVE-2025-69970 GHSA-r5m2-fqcf-qrf7 |
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation. | There are no reported fixed by versions. |
|
VCID-j239-jqn7-fyd7
Aliases: CVE-2025-69981 GHSA-7g56-fwxj-cm23 |
FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code. | There are no reported fixed by versions. |
|
VCID-mjtt-53n8-9khn
Aliases: CVE-2025-69983 GHSA-5r63-q8hg-p8qx |
FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||