CVE-2026-25894

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25894
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25894.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25894
Aliases
Published
2026-02-09T22:28:46.316Z
Modified
2026-03-02T19:55:53.759207Z
Severity
  • 9.5 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
Details

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1188",
        "CWE-321"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25894.json"
}
References

Affected packages

Git / github.com/frangoteam/fuxa

Affected ranges

Type
GIT
Repo
https://github.com/frangoteam/fuxa
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b873cdf32a63bcfaa6de8b724781f63c6f977c69

Affected versions

1.*
1.2.3
Other
untagged-fb3c7751ca725cb671dd
v.*
v.1.1.18
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.1_alfa
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.01
v1.1.10
v1.1.11
v1.1.11-2
v1.1.11-3
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.16
v1.1.17
v1.1.19
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.2
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25894.json"