CVE-2026-25951

Summary

A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. It is a new vulnerability a patch bypass for the sanitization in the last release .

​

Details

This report describes a new, distinct vulnerability that differs from previous Path Traversal advisories (such as CVE-2023-31718) in several ways:

Patch Bypass (Regression): The vulnerability circumvents the existing sanitization logic implemented to fix previous traversal issues. The current "single-pass" regex approach is insufficient against nested sequences.

Expansion of Scope: Unlike previous reports that focused primarily on /api/download, this bypass affects multiple critical endpoints, including /api/upload, /api/resources/remove, and /api/logs.

Escalation to RCE: By targeting the 

upload

 and remove functionalities, this vulnerability directly leads to Remote Code Execution, which is a higher impact than the information disclosure typically associated with previous traversal reports.

​

Impact

Remote Code Execution (RCE): Transition from application admin to full system control.

SCADA Operational Disruption: Potential for physical or operational sabotage by manipulating tags and alarms.

Data Integrity & Availability: Full access to projects, credentials, and historical logs.

Patches

This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.