CVE-2025-69970

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-69970

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69970.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-69970

Aliases

GHSA-r5m2-fqcf-qrf7

Published

2026-02-03T18:16:17.260Z

Modified

2026-03-13T03:50:12.204216Z

Severity

9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.

References

https://github.com/frangoteam/FUXA/blob/master/server/settings.default.js

Affected packages

Git / github.com/frangoteam/fuxa

Affected ranges

Type

GIT

Repo

https://github.com/frangoteam/fuxa

Events

Introduced

Last affected

bbd738d21d7192d5eaaf58577de68eced4a609eb

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.2.7"
        }
    ]
}

Affected versions

1.*

1.2.3

Other

untagged-fb3c7751ca725cb671dd

v.*

v.1.1.18

v1.*

v1.0.0

v1.0.1

v1.0.10

v1.0.11

v1.0.1_alfa

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.01

v1.1.10

v1.1.11

v1.1.11-2

v1.1.11-3

v1.1.12

v1.1.13

v1.1.14

v1.1.15

v1.1.16

v1.1.17

v1.1.19

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.2.0

v1.2.1

v1.2.2

v1.2.4

v1.2.5

v1.2.6

v1.2.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69970.json"