CVE-2025-69981: FUXA contains an Unrestricted File Upload vulnerability

February 3, 2026 (updated February 4, 2026)

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.

References

github.com/advisories/GHSA-7g56-fwxj-cm23
github.com/frangoteam/FUXA
github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js
nvd.nist.gov/vuln/detail/CVE-2025-69981

Code Behaviors & Features

Detect and mitigate CVE-2025-69981 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →