CVE-2025-69981

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-69981
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69981.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-69981
Aliases
Published
2026-02-03T18:16:17.467Z
Modified
2026-03-13T03:50:12.756781Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.

References

Affected packages

Git / github.com/frangoteam/fuxa

Affected ranges

Type
GIT
Repo
https://github.com/frangoteam/fuxa
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
bbd738d21d7192d5eaaf58577de68eced4a609eb
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.2.7"
        }
    ]
}

Affected versions

1.*
1.2.3
Other
untagged-fb3c7751ca725cb671dd
v.*
v.1.1.18
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.1_alfa
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.01
v1.1.10
v1.1.11
v1.1.11-2
v1.1.11-3
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.16
v1.1.17
v1.1.19
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.2
v1.2.4
v1.2.5
v1.2.6
v1.2.7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69981.json"