GHSA-c869-jx4c-q5fc

Suggest an improvement
Source
https://github.com/advisories/GHSA-c869-jx4c-q5fc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-c869-jx4c-q5fc/GHSA-c869-jx4c-q5fc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c869-jx4c-q5fc
Aliases
Published
2026-02-10T00:28:28Z
Modified
2026-02-10T03:03:44.885103Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H CVSS Calculator
Summary
FUXA Unauthenticated Remote Arbitrary Scheduler Write
Details

Summary

An authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This vulnerability affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11.

Impact

This affects all deployments, including those with runtime.settings.secureEnabled set to true.

Exploitation allows an unauthenticated, remote attacker to automatically authenticate as guest and create, modify or delete schedules. These schedules can be configured to trigger immediately or cyclically, forcing connected devices to specific states or values, or executing existing scripts on the server.

Patches

This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed_at": "2026-02-10T00:28:28Z",
    "nvd_published_at": "2026-02-09T23:16:06Z",
    "severity": "CRITICAL"
}
References

Affected packages

npm / fuxa-server

Package

Name
fuxa-server
View open source insights on deps.dev
Purl
pkg:npm/fuxa-server

Affected ranges

Type
SEMVER
Events
Introduced
1.2.8
Fixed
1.2.11

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-c869-jx4c-q5fc/GHSA-c869-jx4c-q5fc.json"