CVE-2026-45087
Deferred Deferred - Pending Action
Remote Code Execution in Dalfox XSS Scanner

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options β€” including FoundAction and FoundActionShell β€” is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45087
EUVD
EUVD-2026-32615
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dalfox dalfox 2.13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-15 One or more system settings or configuration elements can be externally controlled by a user.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Dalfox, an open-source XSS scanner, when it is run in REST API server mode prior to version 2.13.0. By default, the server listens on all network interfaces (0.0.0.0) at port 6664 without requiring an API key unless explicitly set. The issue arises because certain options, including FoundAction and FoundActionShell, are deserialized directly from attacker-supplied JSON in the POST /scan endpoint. These fields are then used without proper filtering, allowing an unauthenticated attacker who can access the server port to supply arbitrary shell commands. These commands will be executed on the host system whenever a scan finding is triggered.

Impact Analysis

This vulnerability has a critical impact because it allows remote unauthenticated attackers to execute arbitrary shell commands on the host running the Dalfox server. This can lead to complete system compromise, including full control over the affected machine, data theft, data destruction, or further network penetration.

Mitigation Strategies

To mitigate this vulnerability, upgrade Dalfox to version 2.13.0 or later, where the issue is fixed.

Alternatively, if upgrading is not immediately possible, avoid running Dalfox in REST API server mode bound to 0.0.0.0:6664 without an API key, or explicitly pass the --api-key option to require authentication.

Compliance Impact

This vulnerability allows unauthenticated remote code execution on the host running Dalfox's REST API server mode, potentially leading to full read access to the filesystem, arbitrary file writes, service disruption, and lateral movement within the network.

Such unauthorized access and control over the system could result in exposure or alteration of sensitive data, which may violate data protection requirements under common standards and regulations like GDPR and HIPAA.

Therefore, organizations using vulnerable versions of Dalfox without proper API key enforcement risk non-compliance due to potential data breaches and lack of adequate access controls.

Detection Guidance

This vulnerability can be detected by checking if the Dalfox REST API server is running and accessible on port 6664 without requiring an API key. Since the server binds to 0.0.0.0:6664 by default, any unauthenticated user on the network can send POST requests to the /scan endpoint with crafted JSON payloads containing the found-action and found-action-shell parameters.

To detect if your system is vulnerable, you can attempt to connect to the Dalfox server port and verify if it responds without authentication. For example, using curl to send a test POST request to the /scan endpoint can help identify if the server accepts unauthenticated commands.

  • curl -X POST http://<target-ip>:6664/scan -H "Content-Type: application/json" -d '{"found-action":"id"}'
  • nc -vz <target-ip> 6664 # Check if port 6664 is open and listening

If the server responds or the port is open without authentication, the system is likely vulnerable. It is recommended to upgrade Dalfox to version 2.13.0 or later, which enforces API key authentication or strips dangerous parameters.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45087. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart