pkg:npm/fuxa-server

All known vulnerabilities

• CRITICAL9.8CVE-2025-69983FUXA allows Remote Code Execution (RCE) via the project import functionality.
  from 0, <= 1.2.7
• CRITICAL9.8CVE-2023-31719FUXA SQL Injection vulnerability
  from 0, <= 1.1.12
• HIGH8.1CVE-2025-69971FUXA has a hardcoded fallback JWT signing secret
  from 0, <= 1.2.7
• HIGH7.5CVE-2026-47717FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations
  >= 1.3.0, < 1.3.1
• HIGH7.5CVE-2023-31718FUXA local file inclusion vulnerability
  from 0, <= 1.1.12
• HIGH7.5CVE-2023-31717FUXA SQL Injection vulnerability
  from 0, <= 1.1.12
• —CVE-2026-47718FUXA provides guest and invalid-token access to protected read APIs in secure mode
  >= 1.3.0-2773, < 1.3.1
• —CVE-2026-43947FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass
  >= 1.3.0, < 1.3.1
• —CVE-2026-43946FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
  >= 1.3.0, < 1.3.1
• —CVE-2026-25951FUXA Affected by a Path Traversal Sanitization Bypass
  from 0, < 1.2.11
• —CVE-2026-25939FUXA Unauthenticated Remote Arbitrary Scheduler Write
  >= 1.2.8, < 1.2.11
• —CVE-2026-25938FUXA Unauthenticated Remote Code Execution in Node-RED Integration
  >= 1.2.8, < 1.2.11
• —CVE-2026-25752FUXA Unauthenticated Remote Arbitrary Device Tag Write
  from 0, < 1.2.10
• —CVE-2026-25895FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API
  from 0, < 1.2.10
• —CVE-2026-25894FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
  from 0, < 1.2.10
• —CVE-2026-25751FUXA Unauthenticated Exposure of Plaintext Database Credentials
  from 0, < 1.2.10
• —CVE-2026-25893FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
  from 0, < 1.2.10
• —CVE-2025-69981FUXA contains an Unrestricted File Upload vulnerability
  from 0, <= 1.2.7
• —CVE-2025-69970FUXA contains an insecure default configuration vulnerability
  from 0, <= 1.2.7