CVE-2025-69983

Critical

Published: 03 February 2026

Published

03 February 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0036 58.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system…

compromise.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of user-supplied project files to block malicious scripts and system commands during import.

SC-39 Process Isolation good match

prevent

Mandates process isolation to sandbox execution of imported project scripts, preventing full system compromise even if malicious code executes.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection at system entry points like project import to identify and block execution of embedded system commands.

Security SummaryAI

CVE-2025-69983 is a remote code execution (RCE) vulnerability in FUXA version 1.2.7. The flaw exists in the project import functionality, where the application does not properly sanitize or sandbox user-supplied scripts embedded in imported project files. This allows attackers to include malicious scripts with system commands. The vulnerability is associated with CWE-94 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated attacker with network access can exploit this vulnerability by uploading a specially crafted project file containing arbitrary system commands. No user interaction or privileges are required, enabling low-complexity remote exploitation that results in full system compromise, with high impacts on confidentiality, integrity, and availability.

The primary reference points to the vulnerable source code in FUXA's project handling at https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js. No advisories or patches are detailed in the provided information.

Details

CWE(s): NVD-CWE-noinfo CWE-94

Affected Products

frangoteam

fuxa

1.2.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated RCE in public-facing web application (FUXA project import) via unsanitized file upload directly enables T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js
Product · cve@mitre.org