Missing Authentication for Critical Function in fuxa-server | CVE-2026-25895

Q: How to fix?

A fix was pushed into the master branch but not yet published.

Introduced: 5 Feb 2026

NewCVE-2026-25895 (opens in a new tab) CWE-22 (opens in a new tab) CWE-306 (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

fuxa-server is a Web-based Process Visualization (SCADA/HMI/Dashboard) software

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the upload API. An attacker can overwrite arbitrary files on the server filesystem by sending crafted requests, potentially leading to execution of malicious code if critical files such as application code, startup scripts, or configuration files are replaced. This can result in full system compromise, especially if overwritten files are executed or loaded by the application or operating system.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
High
Integrity (SI)
High
Availability (SA)
High

Missing Authentication for Critical Function Affecting fuxa-server package, versions *

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 5 Feb 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk