Authentication Bypass Vulnerability in FUXA by Frango Team
CVE-2026-13207

8.7HIGH

Key Information:

Vendor: Frangoteam
Status: Fuxa Scada/hmi
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-13207?

FUXA versions up to 1.3.1 are vulnerable due to an issue in the REST API that allows unauthenticated users to bypass authentication checks. This occurs through improper normalization of dot-segment path sequences, enabling access to sensitive user and role data by submitting crafted API requests. Attackers can exploit paths such as /api/./users or /api/project/../users to retrieve information without any authentication credentials.

Affected Version(s)

FUXA SCADA/HMI 0 <= 1.3.1

FUXA SCADA/HMI 1.3.2

References

https://github.com/frangoteam/FUXA/releases

https://www.cisa.gov/news-events/ics-advisories/icsa-26-1...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 24, 2026

Credit

Joshua Hayes of Cited Relevance LLC reported this vulnerability to CISA.

CVE-2026-13207 Data

JSON

Frangoteam

What is CVE-2026-13207?

Affected Version(s)

References

CVSS V4

Timeline

Credit