CVE-2025-69985

CRITICAL 9.8

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

Vendor	n/a
Product	n/a
Published	Feb 24, 2026
Last Updated	Feb 25, 2026

Stay Ahead of the Next One

Get instant alerts for n/a n/a

Be the first to know when new critical vulnerabilities affecting n/a n/a are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

n/a / n/a

n/a

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js gist.github.com: https://gist.github.com/lihy10/8cb2dd65ebf1385f12a7e00e25a50d40