CVE-2026-25751
Unknown Unknown - Not Provided
Information Disclosure in FUXA Allows Remote Admin Database Access

Publication date: 2026-02-06

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25751
EUVD
EUVD-2026-5619
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frangoteam fuxa to 1.2.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, users are strongly advised to upgrade FUXA to version 1.2.10 or later, which contains patches addressing the information disclosure issue.

The update resolves authentication bypass vulnerabilities, enhances protection of sensitive database credentials, enforces stricter authentication and validation, and improves security configuration related to JWT secret management.

Executive Summary

CVE-2026-25751 is a critical information disclosure vulnerability in FUXA, a web-based Process Visualization software. It allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials in plaintext, specifically for the InfluxDB database.

Exploitation of this vulnerability enables the attacker to obtain the full system configuration, including administrative credentials, without any authentication or user interaction.

This means the attacker can authenticate directly to the database service and potentially read, modify, or delete all historical process data or cause a Denial of Service by corrupting the database.

The vulnerability is due to missing authentication for critical functions and cleartext storage of sensitive information, and it affects FUXA versions up to 1.2.9. It has been patched in version 1.2.10.

Impact Analysis

If exploited, this vulnerability can have severe impacts including unauthorized access to sensitive administrative credentials for the InfluxDB database.

An attacker with these credentials can read, modify, or delete all historical process data, which could disrupt operations or lead to data loss.

Additionally, the attacker could perform a Denial of Service attack by corrupting the database, potentially causing system downtime or failure.

Since no authentication or user interaction is required, the risk of exploitation is high.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25751. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart