Description
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine's logging path. The logger opens the attacker-supplied path with os.O_APPEND|os.O_CREATE|os.O_WRONLY and writes scan log lines to it. Critically, this file write block lives outside the IsLibrary guard in DalLog, so it executes even in server/library mode where file output was never intended to operate. Because no API key is required in the default configuration, an unauthenticated network caller can create or append to any file writable by the dalfox process on the host filesystem. This vulnerability is fixed in 2.13.0.
Published: 2026-05-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dalfox, an open‑source XSS scanner, exposes a file write capability when operating in REST API server mode. The flaw stems from the fact that the output, output‑all, and debug parameters are deserialized from an unauthenticated client request and forwarded directly to the daemon’s logger. The logger opens the supplied path with flags that allow creation and appending without performing any validation, and this logic exists outside the guard that distinguishes library use from server mode. Consequently, an unauthenticated attacker can create or append arbitrary files at any location writable by the Dalfox process, enabling tampering of configuration files, log spoofing, or laying groundwork for further exploitation. This corresponds to CWE‑306 (Missing Authentication), CWE‑434 (Improper Input Validation), and CWE‑73 (Relative Path Traversal).

Affected Systems

The vulnerability affects every deployment of hahwul:dalfox running a version prior to 2.13.0 in server mode with the default configuration—specifically, where no API key protects the REST endpoint. All hosts where the Dalfox process is permitted to write to the local file system are susceptible.

Risk and Exploitability

The CVSS score of 8.2 marks this issue as high severity. EPSS data is not yet available and the vulnerability is not listed in CISA’s KEV catalog, yet the lack of authentication means that any network user reaching the HTTP endpoint can exploit the flaw. The attack requires only HTTP access to the REST API; no privileged credentials or additional local conditions are necessary. The potential impact includes unauthorized file creation or modification across the host, which can lead to system compromise or data corruption.

Generated by OpenCVE AI on May 27, 2026 at 21:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dalfox to version 2.13.0 or later, which removes the insecure file‑output logic.
  • Restrict network access to the Dalfox REST API by implementing firewall rules or network segmentation to limit exposure to trusted hosts.
  • Enable API key authentication on the Dalfox server to require authenticated access to the endpoint.
  • Disable the output, output‑all, and debug parameters or configure them to restrict file paths to a safe directory, ensuring the daemon cannot write to arbitrary locations.

Generated by OpenCVE AI on May 27, 2026 at 21:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8hf9-3q64-q2qf Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option
History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Hahwul
Hahwul dalfox
Vendors & Products Hahwul
Hahwul dalfox

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine's logging path. The logger opens the attacker-supplied path with os.O_APPEND|os.O_CREATE|os.O_WRONLY and writes scan log lines to it. Critically, this file write block lives outside the IsLibrary guard in DalLog, so it executes even in server/library mode where file output was never intended to operate. Because no API key is required in the default configuration, an unauthenticated network caller can create or append to any file writable by the dalfox process on the host filesystem. This vulnerability is fixed in 2.13.0.
Title Dalfox: Unauthenticated Arbitrary File Create/Append via `output` Option in Dalfox Server Mode
Weaknesses CWE-306
CWE-434
CWE-73
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Hahwul Dalfox
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:59:46.662Z

Reserved: 2026-05-08T19:27:26.697Z

Link: CVE-2026-45089

cve-icon Vulnrichment

Updated: 2026-05-27T17:59:43.738Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:24.863

Modified: 2026-06-17T10:51:40.840

Link: CVE-2026-45089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:50:26Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-434

    Unrestricted Upload of File with Dangerous Type

  • CWE-73

    External Control of File Name or Path