FUXA Unauthenticated Arbitrary File Upload Vulnerability in API Upload Endpoint

Vulnerability

An unrestricted file upload vulnerability has been identified in FUXA version 1.2.7, specifically within the '/api/upload' API endpoint. This vulnerability arises because the endpoint lacks authentication, allowing unauthenticated remote attackers to upload arbitrary files. Exploitation of this vulnerability could lead to the overwriting of critical system files, such as the SQLite user database, potentially granting administrative access. Alternatively, attackers could upload malicious scripts to execute arbitrary code.

Impact

Successful exploitation allows for arbitrary file uploads, with the potential to overwrite critical system files or execute uploaded malicious scripts as arbitrary code.

Added: Feb 3, 2026, 6:32 PM

Updated: Feb 3, 2026, 6:32 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

8.8

remediation

0.0

relevance

2.5

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

8.8

remediation

0.0

relevance

2.5

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FUXA Unauthenticated Arbitrary File Upload Vulnerability in API Upload Endpoint

Vulnerability

Impact

Affected Products

frangoteam FUXA

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating