Back to overview

CVE-2026-13207

HIGH
7.5
CVSS 3.1
Description
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.

Metadata

CVE ID
CVE-2026-13207
State
PUBLISHED
Assigner
icscert
Reserved
2026-06-24 14:31 UTC
Published
2026-06-30 20:24 UTC
Last updated
2026-06-30 20:24 UTC
Primary CWE
CWE-290
CWE-290 Authentication bypass by spoofing
Vendor / Product
Frangoteam / FUXA SCADA/HMI
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
Frangoteam FUXA SCADA/HMI 0 ≤ 1.3.1, 1.3.2
Weakness (CWE)
CWESourceDescription
CWE-290 cna CWE-290 Authentication bypass by spoofing
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Back to overview