PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45089 hahwul CVE debrief

Dalfox is an open-source XSS scanner with a REST API server mode. Prior to version 2.13.0, the API server deserializes attacker-controlled `output`, `output-all`, and `debug` fields from JSON request bodies directly into `model.Options`. These values propagate through `dalfox.Initialize` to the scan engine's logging path. The logger opens the attacker-supplied path with `os.O_APPEND|os.O_CREATE|os.O_WRONLY` and writes scan logs to it. This file write executes outside the `IsLibrary` guard in `DalLog`, meaning it runs even in server/library mode where file output was never intended. With no API key required by default, unauthenticated network attackers can create or append to any file writable by the dalfox process.

Vendor
hahwul
Product
dalfox
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running dalfox in REST API server mode, security teams using dalfox for automated XSS scanning infrastructure, DevSecOps practitioners with dalfox deployed in containerized or shared environments

Technical summary

In dalfox versions prior to 2.13.0, the REST API server mode accepts JSON requests containing `output`, `output-all`, and `debug` fields that specify file paths for logging. These paths are deserialized without validation and passed directly to the logging subsystem, which opens them with append/create permissions. The vulnerability exists because the file write logic in `DalLog` is not protected by the `IsLibrary` guard, causing unintended file operations in server mode. Default configurations lack API key requirements, enabling unauthenticated remote exploitation for arbitrary file creation or appending on the host filesystem.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade dalfox to version 2.13.0 or later
  • If running dalfox in REST API server mode, verify no unauthorized file writes occurred in writable directories
  • Consider implementing API key authentication or network access controls for dalfox REST API server mode as defense in depth
  • Review file system permissions to ensure dalfox process runs with minimal write access
  • Monitor for unexpected file creation or modification in paths accessible to the dalfox process

Evidence notes

The vulnerability was disclosed via GitHub Security Advisory GHSA-8hf9-3q64-q2qf and fixed in dalfox release v2.13.0. The issue affects REST API server mode specifically, not standard CLI usage. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L reflects network attack vector with no privileges required, high integrity impact from arbitrary file writes, and low availability impact. CWE-73 (External Control of File Name or Path), CWE-306 (Missing Authentication for Critical Function), and CWE-434 (Unrestricted Upload of File with Dangerous Type) are identified as applicable weaknesses.

Official resources

2026-05-27