CRITICAL 9.8

GHSA-5r63-q8hg-p8qx

FUXA allows Remote Code Execution (RCE) via the project import functionality.

Details

FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / fuxa-server

Introduced in: 0

No fixed version published yet for fuxa-server (npm). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-69983 [ADVISORY]
https://github.com/frangoteam/FUXA [PACKAGE]
https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js [WEB]