CVE-2026-25951

CVE-2026-25951 is a high-severity path traversal vulnerability in fuxa-server (npm), affecting versions <= 1.2.10. It is fixed in 1.2.11.

Summary

A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .

Details

This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:

Patch Bypass (Regression): The vulnerability circumvents the existing sanitization logic implemented to fix previous traversal issues. The current "single-pass" regex approach is insufficient against nested sequences.
Expansion of Scope: Unlike previous reports that focused primarily on /api/download, this bypass affects multiple critical endpoints, including /api/upload, /api/resources/remove, and /api/logs.
Escalation to RCE: By targeting the
upload
and remove functionalities, this vulnerability directly leads to Remote Code Execution, which is a higher impact than the information disclosure typically associated with previous traversal reports.

Impact

Remote Code Execution (RCE): Transition from application admin to full system control.
SCADA Operational Disruption: Potential for physical or operational sabotage by manipulating tags and alarms.
Data Integrity & Availability: Full access to projects, credentials, and historical logs.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

Affected versions

fuxa-server (<= 1.2.10)

Security releases

fuxa-server → 1.2.11 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.

Frequently Asked Questions

  1. What is CVE-2026-25951? CVE-2026-25951 is a high-severity path traversal vulnerability in fuxa-server (npm), affecting versions <= 1.2.10. It is fixed in 1.2.11. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. Which versions of fuxa-server are affected by CVE-2026-25951? fuxa-server (npm) versions <= 1.2.10 is affected.
  3. Is there a fix for CVE-2026-25951? Yes. CVE-2026-25951 is fixed in 1.2.11. Upgrade to this version or later.
  4. Is CVE-2026-25951 exploitable, and should I be worried? Whether CVE-2026-25951 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-25951 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-25951? Upgrade fuxa-server to 1.2.11 or later.

Other vulnerabilities in fuxa-server

CVE-2026-47721CVE-2026-47719CVE-2026-47718CVE-2026-47717CVE-2026-43947

Stop the waste.
Protect your environment with Kodem.