cbcvebase.
CVE-2026-45087
published 2026-05-27

CVE-2026-45087: Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox…

PriorityP276critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
1.15%
62.8th percentile
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comhahwul_dalfox_v2>= 0 < 2.13.02.13.0
hahwuldalfox< 2.13.02.13.0

Detection & IOCsextracted from sources · hover to see the quote

port6664
urlPOST /scan
pathlinux/http/dalfox_server_rce_cve_2026_45087
  • Monitor for unauthenticated HTTP POST requests to /scan on port 6664, particularly those containing JSON bodies with 'FoundAction' or 'FoundActionShell' fields, which indicate exploitation of CVE-2026-45087.
  • Alert on Dalfox server processes (dalfox server) binding to 0.0.0.0:6664 without --api-key, as these are exploitable without authentication.
  • Inspect JSON payloads in POST /scan requests for the presence of 'FoundAction' and 'FoundActionShell' keys, which are the deserialized fields used to inject arbitrary shell commands.
  • A public Metasploit exploit module exists for this CVE targeting Dalfox Server versions <= 2.12.0; correlate IDS/IPS alerts with known Metasploit framework traffic patterns on port 6664.
  • ·The vulnerability only exists when Dalfox is run in REST API server mode ('dalfox server'). Deployments not using server mode are not affected.
  • ·The attack surface is eliminated if the operator explicitly passes --api-key, as this enforces authentication on the API endpoint.
  • ·The vulnerability is fixed in Dalfox version 2.13.0; only versions <= 2.12.0 are affected.
  • ·The shell command is only executed when a scan finding is triggered, meaning exploitation requires the attacker-controlled scan target to produce at least one XSS finding to fire the FoundAction payload.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.