PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45087 hahwul CVE debrief

## Summary Dalfox is an open-source XSS scanner. Prior to version 2.13.0, when run in REST API server mode (`dalfox server`), the service binds to 0.0.0.0:6664 by default without requiring authentication unless the operator explicitly supplies `--api-key`. The server deserializes attacker-supplied JSON into `model.Options`, including `FoundAction` and `FoundActionShell` fields, and propagates these directly into scan options. An unauthenticated remote attacker who can reach the server port can supply arbitrary shell commands that execute on the host whenever a scan finding is triggered. ## Affected Versions - Dalfox prior to 2.13.0 ## Fixed Versions - Dalfox 2.13.0 ## Attack Vector Network-accessible REST API server mode with default binding (0.0.0.0:6664) and no API key configured. ## Impact Remote unauthenticated command execution on the host running the dalfox server. ## Root Cause Unsafe deserialization of attacker-controlled JSON into options struct containing shell command fields, with no authentication required by default.

Vendor
hahwul
Product
dalfox
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running dalfox in server mode for automated XSS scanning; security teams managing offensive security tooling infrastructure; DevSecOps pipelines integrating dalfox API services.

Technical summary

In dalfox server mode, the HTTP handler for POST /scan unmarshals JSON into model.Options without sanitizing FoundAction and FoundActionShell fields. These fields are passed to dalfox.Initialize and subsequently executed when scan findings occur. With default 0.0.0.0 binding and no API key requirement, any network-reachable attacker can trigger arbitrary host command execution.

Defensive priority

CRITICAL

Recommended defensive actions

  • Upgrade to dalfox 2.13.0 or later
  • If running dalfox server, explicitly configure --api-key to require authentication
  • Restrict network access to dalfox server port (default 6664) to authorized hosts only
  • Review dalfox server logs for unauthorized scan requests or suspicious FoundAction/FoundActionShell parameters
  • Consider running dalfox server in isolated environment with limited host privileges

Evidence notes

CVE published 2026-05-27T18:16:24.567Z; modified 2026-05-27T19:49:48.143Z. Advisory references GitHub Security Advisory GHSA-v25v-m36w-jp4h and release v2.13.0.

Official resources

2026-05-27