These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A concurrency defect in Dalfox versions prior to 2.13.0 allows unauthenticated remote attackers to crash the application via a malformed scan request. The vulnerability stems from a channel closure race condition in the ParameterAnalysis function where a results channel is closed after the first worker stage completes, but a second stage continues to write to the same closed channel. When processing POST- [truncated]
Dalfox is an open-source XSS scanner with a REST API server mode. Prior to version 2.13.0, the API server deserializes attacker-controlled `output`, `output-all`, and `debug` fields from JSON request bodies directly into `model.Options`. These values propagate through `dalfox.Initialize` to the scan engine's logging path. The logger opens the attacker-supplied path with `os.O_APPEND|os.O_CREATE|os.O_WRONL [truncated]
Dalfox is an open-source XSS scanner with a REST API server mode. Prior to version 2.13.0, the server mode accepted a `custom-payload-file` parameter in scan requests that was passed directly to a file-reading function without validation. An unauthenticated remote attacker could supply an arbitrary file path to read files from the dalfox host, with file contents exfiltrated line-by-line through outbound s [truncated]
## Summary Dalfox is an open-source XSS scanner. Prior to version 2.13.0, when run in REST API server mode (`dalfox server`), the service binds to 0.0.0.0:6664 by default without requiring authentication unless the operator explicitly supplies `--api-key`. The server deserializes attacker-supplied JSON into `model.Options`, including `FoundAction` and `FoundActionShell` fields, and propagates these direct [truncated]