CRITICAL9.8CVE-2025-69983FUXA allows Remote Code Execution (RCE) via the project import functionality. from 0, <= 1.2.7
from 0, <= 1.1.12
HIGH8.2CVE-2026-47719FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading from 0, <= 1.1.14-1243
HIGH8.1FUXA has a hardcoded fallback JWT signing secret
from 0, <= 1.2.7
HIGH7.5FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations
>= 1.3.0, < 1.3.1
HIGH7.5FUXA local file inclusion vulnerability
from 0, <= 1.1.12
HIGH7.5FUXA SQL Injection vulnerability
from 0, <= 1.1.12
MEDIUM6.3FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
from 0, <= 1.1.14-1243
MEDIUM5.3FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
from 0, <= 1.1.14-1243
—FUXA provides guest and invalid-token access to protected read APIs in secure mode
>= 1.3.0-2773, < 1.3.1
—FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass
>= 1.3.0, < 1.3.1
—FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
>= 1.3.0, < 1.3.1
—FUXA Affected by a Path Traversal Sanitization Bypass
from 0, < 1.2.11
—FUXA Unauthenticated Remote Arbitrary Scheduler Write
>= 1.2.8, < 1.2.11
—FUXA Unauthenticated Remote Code Execution in Node-RED Integration
>= 1.2.8, < 1.2.11
—FUXA Unauthenticated Remote Arbitrary Device Tag Write
from 0, < 1.2.10
—FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API
from 0, < 1.2.10
—FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
from 0, < 1.2.10
—FUXA Unauthenticated Exposure of Plaintext Database Credentials
from 0, < 1.2.10
—FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
from 0, < 1.2.10
—FUXA contains an insecure default configuration vulnerability
from 0, <= 1.2.7
—FUXA contains an Unrestricted File Upload vulnerability
from 0, <= 1.2.7