CVE-2026-45087
published 2026-05-27CVE-2026-45087: Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox…
PriorityP276critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
1.15%
62.8th percentile
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hahwul_dalfox_v2 | >= 0 < 2.13.0 | 2.13.0 |
| hahwul | dalfox | < 2.13.0 | 2.13.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP POST requests to /scan on port 6664, particularly those containing JSON bodies with 'FoundAction' or 'FoundActionShell' fields, which indicate exploitation of CVE-2026-45087. ↗
- →Alert on Dalfox server processes (dalfox server) binding to 0.0.0.0:6664 without --api-key, as these are exploitable without authentication. ↗
- →Inspect JSON payloads in POST /scan requests for the presence of 'FoundAction' and 'FoundActionShell' keys, which are the deserialized fields used to inject arbitrary shell commands. ↗
- →A public Metasploit exploit module exists for this CVE targeting Dalfox Server versions <= 2.12.0; correlate IDS/IPS alerts with known Metasploit framework traffic patterns on port 6664. ↗
- ·The vulnerability only exists when Dalfox is run in REST API server mode ('dalfox server'). Deployments not using server mode are not affected. ↗
- ·The attack surface is eliminated if the operator explicitly passes --api-key, as this enforces authentication on the API endpoint. ↗
- ·The vulnerability is fixed in Dalfox version 2.13.0; only versions <= 2.12.0 are affected. ↗
- ·The shell command is only executed when a scan finding is triggered, meaning exploitation requires the attacker-controlled scan target to produce at least one XSS finding to fire the FoundAction payload. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
hahwul dalfox up to 2.12.x REST API Server Mode /scan external control of setting (GHSA-v25v-m36w-jp4h)
vuldb·2026-05-27·CVSS 10.0
CVE-2026-45087 [CRITICAL] hahwul dalfox up to 2.12.x REST API Server Mode /scan external control of setting (GHSA-v25v-m36w-jp4h)
A vulnerability was found in hahwul dalfox up to 2.12.x and classified as critical. The affected element is an unknown function of the file /scan of the component REST API Server Mode. Such manipulation leads to external control of system or configuration setting.
This vulnerability is uniquely identified as CVE-2026-45087. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
ghsa·2026-05-12
CVE-2026-45087 [CRITICAL] CWE-15 Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
# GHSA: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode
## Summary
When dalfox is started in REST API server mode (`dalfox server`), the server binds to `0.0.0.0:6664` by default and requires no API key unless the operator explicitly passes `--api-key`. Because `model.Options` — including `FoundAction` and `FoundActionShell` — is deserialized directly from attacker-supplied JSON in `POST /scan`, and because `dalfox.Initialize` explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a
No detection rules found.
2026-05-27
Published