GHSA-68M5-5W2H-H837
Vulnerability from github – Published: 2026-02-10 00:29 – Updated: 2026-02-10 14:18Summary
A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .
Details
This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:
Patch Bypass (Regression): The vulnerability circumvents the existing sanitization logic implemented to fix previous traversal issues. The current "single-pass" regex approach is insufficient against nested sequences. Expansion of Scope: Unlike previous reports that focused primarily on /api/download, this bypass affects multiple critical endpoints, including /api/upload, /api/resources/remove, and /api/logs. Escalation to RCE: By targeting the upload and remove functionalities, this vulnerability directly leads to Remote Code Execution, which is a higher impact than the information disclosure typically associated with previous traversal reports.
Impact
Remote Code Execution (RCE): Transition from application admin to full system control. SCADA Operational Disruption: Potential for physical or operational sabotage by manipulating tags and alarms. Data Integrity & Availability: Full access to projects, credentials, and historical logs.
Patches
This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.2.10"
},
"package": {
"ecosystem": "npm",
"name": "fuxa-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25951"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-10T00:29:00Z",
"nvd_published_at": "2026-02-09T23:16:06Z",
"severity": "HIGH"
},
"details": "### Summary\nA flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .\n\n\n### Details\nThis report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:\n\nPatch Bypass (Regression): The vulnerability circumvents the existing sanitization logic implemented to fix previous traversal issues. The current \"single-pass\" regex approach is insufficient against nested sequences.\nExpansion of Scope: Unlike previous reports that focused primarily on /api/download, this bypass affects multiple critical endpoints, including /api/upload, /api/resources/remove, and /api/logs.\nEscalation to RCE: By targeting the \nupload\n and remove functionalities, this vulnerability directly leads to Remote Code Execution, which is a higher impact than the information disclosure typically associated with previous traversal reports.\n\n\n### Impact\nRemote Code Execution (RCE): Transition from application admin to full system control.\nSCADA Operational Disruption: Potential for physical or operational sabotage by manipulating tags and alarms.\nData Integrity \u0026 Availability: Full access to projects, credentials, and historical logs.\n\n### Patches\n\nThis issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.",
"id": "GHSA-68m5-5w2h-h837",
"modified": "2026-02-10T14:18:49Z",
"published": "2026-02-10T00:29:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-68m5-5w2h-h837"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25951"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/pull/2177"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/commit/3ecce46333ed33e3f66f378e38e317cde702b0ae"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/commit/f7a9f04b2ab97ab5421e4ec4e711c51e9f4b65c8"
},
{
"type": "PACKAGE",
"url": "https://github.com/frangoteam/FUXA"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "FUXA Affected by a Path Traversal Sanitization Bypass"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.