CVE-2026-25751

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/frangoteam/FUXA/releases/tag/v1.2.10	Release Notes
https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:frangoteam:fuxa:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-06 19:16

Updated : 2026-02-10 14:33

NVD link : CVE-2026-25751

Mitre link : CVE-2026-25751

CVE.ORG link : CVE-2026-25751

JSON object : View

Products Affected

frangoteam

fuxa

CWE

CWE-306

Missing Authentication for Critical Function

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2026-25751", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-06T19:16:10.163", "references": [{"url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10."}, {"lang": "es", "value": "FUXA es un software de visualizaci\u00f3n de procesos (SCADA/HMI/Dashboard) basado en web. Una vulnerabilidad de revelaci\u00f3n de informaci\u00f3n en FUXA permite a un atacante remoto no autenticado recuperar credenciales administrativas sensibles de la base de datos. La explotaci\u00f3n permite a un atacante remoto no autenticado obtener la configuraci\u00f3n completa del sistema, incluyendo las credenciales administrativas para la base de datos InfluxDB. La posesi\u00f3n de estas credenciales puede permitir a un atacante autenticarse directamente en el servicio de la base de datos, permiti\u00e9ndole leer, modificar o eliminar todos los datos hist\u00f3ricos del proceso, o realizar una denegaci\u00f3n de servicio corrompiendo la base de datos. Esto afecta a FUXA hasta la versi\u00f3n 1.2.9. Este problema ha sido parcheado en la versi\u00f3n 1.2.10 de FUXA."}], "lastModified": "2026-02-10T14:33:38.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frangoteam:fuxa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5811902D-CD7C-4D52-BD99-66EACBBB88FC", "versionEndExcluding": "1.2.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}