CVE-2026-43947: FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass
An unauthenticated Remote Code Execution vulnerability exists in FUXA when secureEnabled is set to true. The POST /api/runscript endpoint checks authorization against the stored script’s permission by ID, but when test: true is set in the request, it compiles and executes attacker-supplied code instead of the stored script’s code. An unauthenticated attacker who knows a valid script ID and name may execute arbitrary code via test mode if at least one server-side script exists and is accessible without restrictive permissions.
Script IDs and names can be obtained through the unauthenticated information disclosure in GET /api/project (reported separately).
The only prerequisite is that at least one server-side script exists in the project.
References
- github.com/advisories/GHSA-rg3m-cfq7-g6h6
- github.com/frangoteam/FUXA/commit/78534da61a91613712b44bb63c8d7da8c5df5ca4
- github.com/frangoteam/FUXA/pull/2260
- github.com/frangoteam/FUXA/releases/tag/v1.3.1
- github.com/frangoteam/FUXA/security/advisories/GHSA-rg3m-cfq7-g6h6
- nvd.nist.gov/vuln/detail/CVE-2026-43947
Code Behaviors & Features
Detect and mitigate CVE-2026-43947 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →