CVE-2026-25951: FUXA Affected by a Path Traversal Sanitization Bypass
A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ….//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .
References
- github.com/advisories/GHSA-68m5-5w2h-h837
- github.com/frangoteam/FUXA
- github.com/frangoteam/FUXA/commit/3ecce46333ed33e3f66f378e38e317cde702b0ae
- github.com/frangoteam/FUXA/pull/2177
- github.com/frangoteam/FUXA/releases/tag/v1.2.11
- github.com/frangoteam/FUXA/security/advisories/GHSA-68m5-5w2h-h837
- nvd.nist.gov/vuln/detail/CVE-2026-25951
Code Behaviors & Features
Detect and mitigate CVE-2026-25951 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →