CRITICALCVE-2026-25938CVSS 9.5

CVE-2026-25938: RCE in fuxa-server

Q: What is CVE-2026-25938 — RCE in fuxa-server?

CVE-2026-25938 is a critical Remote Code Execution vulnerability in fuxa-server versions 1.2.8 through 1.2.10, allowing unauthenticated attackers to execute code.

Q: Am I affected by CVE-2026-25938 in fuxa-server?

You are affected if you are running fuxa-server version 1.2.8, 1.2.9, or 1.2.10 and have the Node-RED plugin enabled.

Q: How do I fix CVE-2026-25938 in fuxa-server?

Upgrade fuxa-server to version 1.2.11 or later. As a temporary workaround, disable the Node-RED plugin.

Q: Is CVE-2026-25938 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation.

Q: Where can I find the official fuxa-server advisory for CVE-2026-25938?

Refer to the official fuxa-server security advisories on their website or GitHub repository for the latest information.

Platform

nodejs

Component

fuxa-server

Fixed in

1.2.9

1.2.11

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-25938 describes a critical Remote Code Execution (RCE) vulnerability affecting fuxa-server. This flaw allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. The vulnerability impacts versions 1.2.8 through 1.2.10 and has been resolved in version 1.2.11.

Impact and Attack Scenarios

The impact of CVE-2026-25938 is severe. An attacker can bypass authentication checks by sending a specially crafted request to the /nodered/flows endpoint. Successful exploitation grants the attacker complete control over the affected fuxa-server, enabling them to execute arbitrary code, steal sensitive data, modify system configurations, or potentially pivot to other systems within the network. The vulnerability affects all deployments with the Node-RED plugin enabled, even those with security settings like runtime.settings.secureEnabled enabled, indicating a broad attack surface.

Exploitation Context

CVE-2026-25938 was publicly disclosed on 2026-02-10. The vulnerability's ease of exploitation and the potential for significant impact suggest a medium to high probability of exploitation. No public proof-of-concept (POC) code has been publicly released as of this writing, but the vulnerability's nature makes it likely that a POC will emerge. It is not currently listed on CISA KEV.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.14% (34% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impacttotal

Affected Software

Componentfuxa-server

Vendorosv

Affected rangeFixed in

>= 1.2.8, < 1.2.11 – >= 1.2.8, < 1.2.111.2.9

1.2.81.2.11

Weakness Classification (CWE)

CWE-290 CWE-306

Timeline

Reserved2026-02-09
Published2026-02-10
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2026-25938 is to immediately upgrade fuxa-server to version 1.2.11 or later. If upgrading is not immediately feasible, consider disabling the Node-RED plugin entirely as a temporary workaround. While a WAF might offer some protection, it's unlikely to be effective against a crafted request designed to bypass authentication. Monitor access logs for unusual activity targeting the /nodered/flows endpoint. Review and harden Node-RED plugin configurations to minimize potential attack vectors.

How to fix

Actualice FUXA a la versión 1.2.11 o superior. Esta versión contiene la corrección para la vulnerabilidad de ejecución remota de código. La actualización se puede realizar a través del panel de administración de FUXA o descargando la última versión desde el sitio web del proveedor.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-25938 — RCE in fuxa-server?