Description
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.
Published: 2026-05-27
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dalfox is a tool for detecting cross‑site scripting. In server mode, the application listens on 0.0.0.0:6664 by default without requiring an API key. The request body for /scan is deserialized into model.Options, and the FoundAction and FoundActionShell fields are passed directly into the scan routine. An unauthenticated client can therefore inject a shell command that Dalfox will execute whenever a scan result is found, giving an attacker full remote code execution on the host.

Affected Systems

The issue affects Dalfox releases prior to v2.13.0 when run in REST API server mode. Any installation of the dalfox utility from the hahwul project that has not been upgraded and that exposes the default port is vulnerable.

Risk and Exploitability

The flaw carries a CVSS score of 10, indicating maximum severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote and unauthenticated: any host that can reach the server on port 6664 can send a crafted POST /scan request with a payload containing a FoundAction or FoundActionShell value, resulting in arbitrary code execution. No additional privileges or dependencies are required, making exploitation straightforward for the attacker.

Generated by OpenCVE AI on May 27, 2026 at 19:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dalfox to version 2.13.0 or later.
  • If an upgrade is not immediately possible, bind the server to a non‑public interface (e.g., 127.0.0.1) or use a firewall to restrict access to trusted IP addresses.
  • As a temporary measure, consider disabling or sanitizing the FoundAction and FoundActionShell options, although this may not fully prevent exploitation.

Generated by OpenCVE AI on May 27, 2026 at 19:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v25v-m36w-jp4h Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Hahwul
Hahwul dalfox
Vendors & Products Hahwul
Hahwul dalfox

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.
Title Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode
Weaknesses CWE-15
CWE-306
CWE-78
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hahwul Dalfox
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T13:58:37.247Z

Reserved: 2026-05-08T19:27:26.697Z

Link: CVE-2026-45087

cve-icon Vulnrichment

Updated: 2026-05-28T13:58:21.063Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:24.567

Modified: 2026-06-17T10:51:40.640

Link: CVE-2026-45087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:50:24Z

Weaknesses
  • CWE-15

    External Control of System or Configuration Setting

  • CWE-306

    Missing Authentication for Critical Function

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')