CVE-2026-47720

描述

## Summary The TDengine DAQ storage connector's `escapeTdString` at `server/runtime/storage/tdengine/index.js:10` doubles single quotes but does not escape backslashes. TDengine's SQL parser treats `\'` as a literal single quote inside a string, so a tag id of the form `x\' OR 1=1--` escapes the first single quote, lets the doubled quote close the string, and appends an injected clause that runs on the TDengine server. An attacker (Alice) sends the crafted `sids` value through `GET /api/daq` or the Socket.IO `DAQ_QUERY` event and reads every row in `fuxa.meters`, which holds the historical tag values of every PLC the FUXA instance records. ## Details The TDengine DAQ storage connector did not correctly sanitize user-controlled values before including them in SQL queries. A specially crafted tag identifier could bypass the intended escaping logic and alter the query executed against the TDengine database. This could allow unauthorized access to historical DAQ data stored in TDengine, including recorded tag values and related metadata. The issue has been fixed in version 1.3.2 by improving input escaping in the TDengine connector. ## Impact An attacker with network access to a FUXA instance configured with TDengine as the DAQ backend reads the entire historical tag-value archive: every PLC tag the instance has recorded, plus the associated device ids and device names. Turning on authentication does not close the gap: the Socket.IO `DAQ_QUERY` handler has no authorization check, and `/api/daq` accepts guest-level requests. No login is needed in the default configuration. **CVSS 3.1**: `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` (Medium, 5.3). CWE-89. --- A fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2. --- *Found by [aisafe.io](https://aisafe.io)*

如何修補 CVE-2026-47720

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2026-47720 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47720 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)