216.73.217.22

CVE-2026-45087

· Published 27/05/2026 18:16 · Modified 28/05/2026 14:16

Labels: CVE-2026-45087 2026-05-27CVE-2026-45087CWE-15[email protected]

Essential information

Published
27/05/2026 18:16
Modified
28/05/2026 14:16
Author
Creator
CVSS
10.0 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS metrics

Description

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
dalfox / dalfox cpe:2.3:a:dalfox:dalfox:<2.13.0:*:*:*:*:*:*:*

References