CVE-2026-45087

May 28, 2026, 2:16 p.m.

10.0
Critical

Description

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.

Product(s) Impacted

Vendor Product Versions
Dalfox
  • Dalfox
  • <2.13.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-15
External Control of System or Configuration Setting
One or more system settings or configuration elements can be externally controlled by a user.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a dalfox dalfox <2.13.0 / / / / / / /

References

https://github.com/hahwul/dalfox/releases/tag/v2.13.0
https://github.com/hahwul/dalfox/security/advisories/GHSA-v25v-m36w-jp4h
https://github.com/hahwul/dalfox/security/advisories/GHSA-v25v-m36w-jp4h

Tags

[email protected]
CWE-15
2026-05-27
CVE-2026-45087

CVSS Score

10.0 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: May 27, 2026, 6:16 p.m.
Last Modified: May 28, 2026, 2:16 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.