CVE-2026-47720

CVE-2026-47720 is a medium-severity SQL injection vulnerability in fuxa-server (npm), affecting versions <= 1.1.14-1243. No fixed version is listed yet.

Summary

The TDengine DAQ storage connector's escapeTdString at server/runtime/storage/tdengine/index.js:10 doubles single quotes but does not escape backslashes. TDengine's SQL parser treats \' as a literal single quote inside a string, so a tag id of the form x\' OR 1=1-- escapes the first single quote, lets the doubled quote close the string, and appends an injected clause that runs on the TDengine server. An attacker (Alice) sends the crafted sids value through GET /api/daq or the Socket.IO DAQ_QUERY event and reads every row in fuxa.meters, which holds the historical tag values of every PLC the FUXA instance records.

Details

The TDengine DAQ storage connector did not correctly sanitize user-controlled values before including them in SQL queries.

A specially crafted tag identifier could bypass the intended escaping logic and alter the query executed against the TDengine database.

This could allow unauthorized access to historical DAQ data stored in TDengine, including recorded tag values and related metadata.

The issue has been fixed in version 1.3.2 by improving input escaping in the TDengine connector.

Impact

An attacker with network access to a FUXA instance configured with TDengine as the DAQ backend reads the entire historical tag-value archive: every PLC tag the instance has recorded, plus the associated device ids and device names. Turning on authentication does not close the gap: the Socket.IO DAQ_QUERY handler has no authorization check, and /api/daq accepts guest-level requests. No login is needed in the default configuration.

CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Medium, 5.3). CWE-89.

A fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.

Found by aisafe.io

Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.

CVE-2026-47720 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

fuxa-server (<= 1.1.14-1243)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

No fixed version is listed for CVE-2026-47720 yet.

In the interim: Use parameterized queries or prepared statements so user input is always treated as data, never as SQL syntax.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-47720? CVE-2026-47720 is a medium-severity SQL injection vulnerability in fuxa-server (npm), affecting versions <= 1.1.14-1243. No fixed version is listed yet. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
  2. How severe is CVE-2026-47720? CVE-2026-47720 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of fuxa-server are affected by CVE-2026-47720? fuxa-server (npm) versions <= 1.1.14-1243 is affected.
  4. Is there a fix for CVE-2026-47720? No fixed version is listed for CVE-2026-47720 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-47720 exploitable, and should I be worried? Whether CVE-2026-47720 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-47720 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-47720? No fixed version is listed yet. In the interim: Use parameterized queries or prepared statements so user input is always treated as data, never as SQL syntax.

Other vulnerabilities in fuxa-server

CVE-2026-47721CVE-2026-47719CVE-2026-47718CVE-2026-47717CVE-2026-43947

Stop the waste.
Protect your environment with Kodem.