CVE-2026-25951

EPSS 0.04%

FUXA Affected by a Path Traversal Sanitization Bypass

Published: 2/10/2026Modified: 2/22/2026

Description

### Summary A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release . ### Details This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways: Patch Bypass (Regression): The vulnerability circumvents the existing sanitization logic implemented to fix previous traversal issues. The current "single-pass" regex approach is insufficient against nested sequences. Expansion of Scope: Unlike previous reports that focused primarily on /api/download, this bypass affects multiple critical endpoints, including /api/upload, /api/resources/remove, and /api/logs. Escalation to RCE: By targeting the upload and remove functionalities, this vulnerability directly leads to Remote Code Execution, which is a higher impact than the information disclosure typically associated with previous traversal reports. ### Impact Remote Code Execution (RCE): Transition from application admin to full system control. SCADA Operational Disruption: Potential for physical or operational sabotage by manipulating tags and alarms. Data Integrity & Availability: Full access to projects, credentials, and historical logs. ### Patches This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (7)