Frangoteam FUXA SCADA/HMI
View CSAF Summary Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to enumerate all user accounts and role assignments on a FUXA SCADA/HMI instance. The following versions of Frangoteam FUXA SCADA/HMI are affected: FUXA SCADA/HMI <=1.3.1 (CVE-2026-13207) CVSS Vendor Equipment Vulnerabilities v3 7.5 Frangoteam Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing Background Critical Infrastructure Sectors: Critical Manufacturing, Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2026-13207 FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials. View CVE Details Affected Products Frangoteam FUXA SCADA/HMI Vendor: Frangoteam Product Version: Frangoteam FUXA SCADA/HMI: <=1.3.1 Product Status: known_affected Remediations Mitigation Frangoteam recommends users apply the latest version of FUXA 1.3.2 or later https://github.com/frangoteam/FUXA/releases. https://github.com/frangoteam/FUXA/releases Relevant CWE: CWE-290 Authentication Bypass by Spoofing Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 4.0 8.7 HIGH CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Acknowledgments Joshua Hayes of Cited Relevance LLC reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/priva CVEs: CVE-2026-13207. Vendors: Frangoteam Product Version: Frangoteam FUXA SCADA/HMI: <=1. DORA relevance: medium.