CVE-2026-25751
Information Disclosure in FUXA Allows Remote Admin Database Access
Publication date: 2026-02-06
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frangoteam | fuxa | to 1.2.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are strongly advised to upgrade FUXA to version 1.2.10 or later, which contains patches addressing the information disclosure issue.
The update resolves authentication bypass vulnerabilities, enhances protection of sensitive database credentials, enforces stricter authentication and validation, and improves security configuration related to JWT secret management.
Can you explain this vulnerability to me?
CVE-2026-25751 is a critical information disclosure vulnerability in FUXA, a web-based Process Visualization software. It allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials in plaintext, specifically for the InfluxDB database.
Exploitation of this vulnerability enables the attacker to obtain the full system configuration, including administrative credentials, without any authentication or user interaction.
This means the attacker can authenticate directly to the database service and potentially read, modify, or delete all historical process data or cause a Denial of Service by corrupting the database.
The vulnerability is due to missing authentication for critical functions and cleartext storage of sensitive information, and it affects FUXA versions up to 1.2.9. It has been patched in version 1.2.10.
How can this vulnerability impact me? :
If exploited, this vulnerability can have severe impacts including unauthorized access to sensitive administrative credentials for the InfluxDB database.
An attacker with these credentials can read, modify, or delete all historical process data, which could disrupt operations or lead to data loss.
Additionally, the attacker could perform a Denial of Service attack by corrupting the database, potentially causing system downtime or failure.
Since no authentication or user interaction is required, the risk of exploitation is high.