GHSA-vwcg-c828-9822: FUXA Unauthenticated Remote Code Execution via Admin JWT Minting

February 5, 2026

An authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled. This issue has been patched in FUXA version 1.2.10.

References

github.com/advisories/GHSA-vwcg-c828-9822
github.com/frangoteam/FUXA
github.com/frangoteam/FUXA/commit/fe82348d160904d0013b9a3e267d50158f5c7afb
github.com/frangoteam/FUXA/security/advisories/GHSA-vwcg-c828-9822

Code Behaviors & Features

Detect and mitigate GHSA-vwcg-c828-9822 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →