CVE-2026-25751 CRITICAL

CVE-2026-25751: FUXA Unauthenticated Exposure of Plaintext Database Credentials

Vendor Frangoteam
Product FUXA
Weakness CWE-306 · Missing auth
Published February 6, 2026
Last update February 9, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

Key dates

02Disclosure timeline

February 6, 2026 CVE published
February 9, 2026 Record updated