PatchSiren cyber security CVE debrief
CVE-2026-45088 hahwul CVE debrief
Dalfox is an open-source XSS scanner with a REST API server mode. Prior to version 2.13.0, the server mode accepted a `custom-payload-file` parameter in scan requests that was passed directly to a file-reading function without validation. An unauthenticated remote attacker could supply an arbitrary file path to read files from the dalfox host, with file contents exfiltrated line-by-line through outbound scan traffic to attacker-controlled URLs. The vulnerability exists because the REST API server has no authentication by default and the `custom-payload-file` field in `model.Options` is deserialized directly from user input and propagated unchanged through `dalfox.Initialize` to `voltFile.ReadLinesOrLiteral`. This is classified as CWE-73 (External Control of File Name or Path), CWE-306 (Missing Authentication for Critical Function), and CWE-552 (Files or Directories Accessible to External Parties). The CVSS 3.1 score of 7.5 (HIGH) reflects network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. The issue was disclosed and fixed on May 27, 2026 in dalfox version 2.13.0.
- Vendor
- hahwul
- Product
- dalfox
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running dalfox in REST API server mode for automated XSS scanning; security teams operating dalfox as a service; DevSecOps pipelines integrating dalfox server components
Technical summary
In dalfox versions prior to 2.13.0, the REST API server mode deserializes the `custom-payload-file` field from JSON request bodies directly into `model.Options` without validation. This value propagates through `dalfox.Initialize` to `voltFile.ReadLinesOrLiteral`, which reads arbitrary file paths and embeds each line as XSS payloads in outbound HTTP requests. With no API authentication by default, unauthenticated attackers can read arbitrary files accessible to the dalfox process by observing scan traffic to attacker-controlled target URLs.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade dalfox to version 2.13.0 or later to obtain the security fix
- If running dalfox in REST API server mode, implement network-level access controls to restrict API exposure to authorized hosts only
- Consider adding authentication middleware to dalfox server mode deployments as defense in depth
- Review dalfox server logs for suspicious scan requests containing unusual custom-payload-file values that may indicate exploitation attempts
- Audit file system permissions to limit files accessible to the dalfox process
Evidence notes
Vulnerability description and fix version confirmed via GitHub Security Advisory GHSA-35wr-x7v6-9fv2 and dalfox release notes. CVSS vector and CWE classifications sourced from NVD record. Timeline dates derived from CVE published and modified timestamps.
Official resources
2026-05-27