Cyber Resilience

CVE-2025-69981

Critical

Published: 03 February 2026

Published
03 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0073 49.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-69981 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Frangoteam Fuxa. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-69981 is an Unrestricted File Upload vulnerability in FUXA version 1.2.7, affecting the `/api/upload` API endpoint. This endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files to the server.

Unauthenticated attackers with network access can exploit the vulnerability due to its low complexity and lack of privileges required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). Successful exploitation enables overwriting critical system files, such as the SQLite user database, to gain administrative access, or uploading malicious scripts to execute arbitrary code (CWE-434).

The vulnerable code is exposed in the FUXA repository at https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js#L193. No vendor advisories or patches are referenced in available details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user…

more

database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted unauthenticated file upload to public API directly enables exploitation of public-facing app (T1190) and web shell deployment for code execution (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25951Same product: Frangoteam Fuxa
CVE-2026-25893Same product: Frangoteam Fuxa
CVE-2025-69983Same product: Frangoteam Fuxa
CVE-2026-25938Same product: Frangoteam Fuxa
CVE-2025-69970Same product: Frangoteam Fuxa
CVE-2026-25894Same product: Frangoteam Fuxa
CVE-2026-25939Same product: Frangoteam Fuxa
CVE-2025-69971Same product: Frangoteam Fuxa
CVE-2026-25895Same product: Frangoteam Fuxa
CVE-2026-25751Same product: Frangoteam Fuxa

Affected Assets

frangoteam
fuxa
1.2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization mechanisms on the /api/upload endpoint to block unauthenticated remote attackers from uploading arbitrary files.

prevent

Validates all information inputs to the /api/upload endpoint, including file types, sizes, content, and destinations, to prevent unrestricted uploads leading to critical file overwrites or RCE.

prevent

Limits system functionality by prohibiting or restricting unnecessary unrestricted file upload capabilities exposed via the /api/upload endpoint.

References