FUXA contains an Unrestricted File Upload vulnerability

GHSA-7g56-fwxj-cm23 · CVE-2025-69981

Published Feb 3, 2026 · Modified Feb 10, 2026

Description

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-69981
PACKAGE https://github.com/frangoteam/FUXA
WEB https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js#L193

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes