CRITICAL🇵🇱 Wersja polska

CVE-2026-45087

CVSS 10.0v3.1pub. 2026-05-27upd. 2026-05-28

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.

🤖 AI Analysis
How it works

When handling a POST /scan request, the server deserializes the JSON object supplied by the attacker directly into a model.Options structure, which contains the FoundAction and FoundActionShell fields. The dalfox.Initialize function propagates these fields to the final scan options without sanitization or removal. As a result, when the scan detects any finding, dalfox executes the shell command specified by the attacker on the host. The lack of a default authentication mechanism (--api-key is optional) allows any network client to invoke this mechanism.

Impact

An unauthenticated attacker can execute arbitrary system commands on the server hosting dalfox, leading to complete host takeover, data exfiltration, and potential for further lateral movement in the network.

Mitigation & patch

Update dalfox to version 2.13.0 or newer. Until the update is applied, it is recommended to restrict network access to port 6664 using a firewall and enforce the use of the --api-key parameter when running the server.

Who is affected

Dalfox versions earlier than 2.13.0 running in REST API server mode (dalfox server command)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSSDeserializationCommand Injection
CWE
References