GHSA-r5m2-fqcf-qrf7

Source

https://github.com/advisories/GHSA-r5m2-fqcf-qrf7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-r5m2-fqcf-qrf7/GHSA-r5m2-fqcf-qrf7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r5m2-fqcf-qrf7

Aliases

CVE-2025-69970

Published

2026-02-03T18:30:47Z

Modified

2026-02-10T01:35:09.598348Z

Severity

8.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

FUXA contains an insecure default configuration vulnerability

Details

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-02-03T18:16:17Z",
    "cwe_ids": [
        "CWE-1188",
        "CWE-306"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2026-02-04T19:34:40Z"
}

References

Affected packages

npm / fuxa-server

Package

Name: fuxa-server; View open source insights on deps.dev
Purl: pkg:npm/fuxa-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.2.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-r5m2-fqcf-qrf7/GHSA-r5m2-fqcf-qrf7.json"