Hahwul Dalfox vulnerabilities
4 known vulnerabilities affecting hahwul/dalfox.
Total CVEs
4
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3
Vulnerabilities
Page 1 of 1
CVE-2026-45087P2CRITICALCVSS 10.0PoCfixed in 2.13.02026-05-27
CVE-2026-45087 [CRITICAL] CWE-15 CVE-2026-45087: Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, whe
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is
nvd
CVE-2026-45089P3HIGHCVSS 8.2fixed in 2.13.02026-05-27
CVE-2026-45089 [HIGH] CWE-73 CVE-2026-45089: Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, whe
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine's logg
nvd
CVE-2026-45088P3HIGHCVSS 7.5fixed in 2.13.02026-05-27
CVE-2026-45088 [HIGH] CWE-73 CVE-2026-45088: Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, whe
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine. The engine passes
nvd
CVE-2026-45090P3HIGHCVSS 7.5fixed in 2.13.02026-05-27
CVE-2026-45090 [HIGH] CWE-362 CVE-2026-45090: Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, Par
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage — which
nvd