CVE-2026-25951
FUXA Affected by a Path Traversal Sanitization Bypass
Description
### Summary A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release . ### Details This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways: Patch Bypass (Regression): The vulnerability circumvents the existing sanitization logic implemented to fix previous traversal issues. The current "single-pass" regex approach is insufficient against nested sequences. Expansion of Scope: Unlike previous reports that focused primarily on /api/download, this bypass affects multiple critical endpoints, including /api/upload, /api/resources/remove, and /api/logs. Escalation to RCE: By targeting the upload and remove functionalities, this vulnerability directly leads to Remote Code Execution, which is a higher impact than the information disclosure typically associated with previous traversal reports. ### Impact Remote Code Execution (RCE): Transition from application admin to full system control. SCADA Operational Disruption: Potential for physical or operational sabotage by manipulating tags and alarms. Data Integrity & Availability: Full access to projects, credentials, and historical logs. ### Patches This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.
How to fix CVE-2026-25951
To remediate CVE-2026-25951, upgrade the affected package to a fixed version below.
- —upgrade to 1.2.11 or later
Is CVE-2026-25951 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.