Advisories for Npm/Fuxa-Server package

2026

FUXA contains an Unrestricted File Upload vulnerability

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.

FUXA contains an insecure default configuration vulnerability

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.

FUXA contains a hard-coded credential vulnerability

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.

FUXA allows Remote Code Execution (RCE) via the project import functionality.

FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise.

2023

Advisories for Npm/Fuxa-Server package

FUXA contains an Unrestricted File Upload vulnerability

FUXA contains an insecure default configuration vulnerability

FUXA contains a hard-coded credential vulnerability

FUXA allows Remote Code Execution (RCE) via the project import functionality.

FUXA SQL Injection vulnerability

FUXA SQL Injection vulnerability

FUXA local file inclusion vulnerability