CVE-2026-45087 - Vulnerability Details

Description

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.

Published: 2026-05-27

Score: 10 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Dalfox is a tool for detecting cross‑site scripting. In server mode, the application listens on 0.0.0.0:6664 by default without requiring an API key. The request body for /scan is deserialized into model.Options, and the FoundAction and FoundActionShell fields are passed directly into the scan routine. An unauthenticated client can therefore inject a shell command that Dalfox will execute whenever a scan result is found, giving an attacker full remote code execution on the host.

Affected Systems

The issue affects Dalfox releases prior to v2.13.0 when run in REST API server mode. Any installation of the dalfox utility from the hahwul project that has not been upgraded and that exposes the default port is vulnerable.

Risk and Exploitability

The flaw carries a CVSS score of 10, indicating maximum severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote and unauthenticated: any host that can reach the server on port 6664 can send a crafted POST /scan request with a payload containing a FoundAction or FoundActionShell value, resulting in arbitrary code execution. No additional privileges or dependencies are required, making exploitation straightforward for the attacker.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

hahwul

dalfox

affected

Version	Status	Constraints
`< 2.13.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Dalfox to version 2.13.0 or later.
If an upgrade is not immediately possible, bind the server to a non‑public interface (e.g., 127.0.0.1) or use a firewall to restrict access to trusted IP addresses.
As a temporary measure, consider disabling or sanitizing the FoundAction and FoundActionShell options, although this may not fully prevent exploitation.

Generated by OpenCVE AI on May 27, 2026 at 19:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-v25v-m36w-jp4h	Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/hahwul/dalfox/releases/tag/v2.13.0
https://github.com/hahwul/dalfox/security/advisories/GHSA-v25v-m36w-jp4h

History

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.
Title		Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode
Weaknesses		CWE-15 CWE-306 CWE-78
References		https://github.com/hahwul/dalfox/releases/tag/v2.13.0 https://github.com/hahwul/dalfox/security/advisories/GHSA-v25v-m36w-jp4h
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T17:34:29.118Z

Updated: 2026-05-27T17:34:29.118Z

Reserved: 2026-05-08T19:27:26.697Z

Link: CVE-2026-45087

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T18:16:24.567

Modified: 2026-05-27T18:16:24.567

Link: CVE-2026-45087

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object