Authentication Bypass in FUXA Web-Based Process Visualization Software
CVE-2026-25938

9.5CRITICAL

Key Information:

Vendor

Frangoteam

Status
Fuxa
Vendor
CVE Published:
9 February 2026

What is CVE-2026-25938?

FUXA, a web-based Process Visualization software, is susceptible to an authentication bypass vulnerability when the Node-RED plugin is enabled. This flaw allows an unauthenticated remote attacker to execute arbitrary code on the server, posing a significant risk to system integrity. This issue has been resolved in FUXA version 1.2.11, and users are urged to upgrade to this version to mitigate potential exploitation.

Affected Version(s)

FUXA >= 1.2.8, < 1.2.11

References

https://github.com/frangoteam/FUXA/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/frangoteam/FUXA/commit/5e7679b09718534...
x_refsource_MISC
https://github.com/frangoteam/FUXA/releases/tag/v1.2.11
x_refsource_MISC

CVSS V4

Score:
9.5
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.