CVE-2026-25751

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/frangoteam/FUXA/releases/tag/v1.2.10	Release Notes
https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:frangoteam:fuxa:*:*:*:*:*:*:*:*

History

10 Feb 2026, 14:33

Type	Values Removed	Values Added
CPE		cpe:2.3:a:frangoteam:fuxa::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Frangoteam Frangoteam fuxa
References	~~() https://github.com/frangoteam/FUXA/releases/tag/v1.2.10 -~~	() https://github.com/frangoteam/FUXA/releases/tag/v1.2.10 - Release Notes
References	~~() https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx -~~	() https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx - Vendor Advisory

06 Feb 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-06 19:16

Updated : 2026-02-10 14:33

NVD link : CVE-2026-25751

Mitre link : CVE-2026-25751

CVE.ORG link : CVE-2026-25751

JSON object : View

Products Affected

frangoteam

fuxa

CWE

CWE-306

Missing Authentication for Critical Function

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2026-25751", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-06T19:16:10.163", "references": [{"url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10."}], "lastModified": "2026-02-10T14:33:38.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frangoteam:fuxa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5811902D-CD7C-4D52-BD99-66EACBBB88FC", "versionEndExcluding": "1.2.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}