CVE-2025-69983: FUXA allows Remote Code Execution (RCE) via the project import functionality.

February 3, 2026 (updated February 4, 2026)

FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise.

References

github.com/advisories/GHSA-5r63-q8hg-p8qx
github.com/frangoteam/FUXA
github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js
nvd.nist.gov/vuln/detail/CVE-2025-69983

Code Behaviors & Features

Detect and mitigate CVE-2025-69983 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →