CVE-2026-45087
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dalfox | dalfox | 2.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-15 | One or more system settings or configuration elements can be externally controlled by a user. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote code execution on the host running Dalfox's REST API server mode, potentially leading to full read access to the filesystem, arbitrary file writes, service disruption, and lateral movement within the network.
Such unauthorized access and control over the system could result in exposure or alteration of sensitive data, which may violate data protection requirements under common standards and regulations like GDPR and HIPAA.
Therefore, organizations using vulnerable versions of Dalfox without proper API key enforcement risk non-compliance due to potential data breaches and lack of adequate access controls.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Dalfox REST API server is running and accessible on port 6664 without requiring an API key. Since the server binds to 0.0.0.0:6664 by default, any unauthenticated user on the network can send POST requests to the /scan endpoint with crafted JSON payloads containing the found-action and found-action-shell parameters.
To detect if your system is vulnerable, you can attempt to connect to the Dalfox server port and verify if it responds without authentication. For example, using curl to send a test POST request to the /scan endpoint can help identify if the server accepts unauthenticated commands.
- curl -X POST http://<target-ip>:6664/scan -H "Content-Type: application/json" -d '{"found-action":"id"}'
- nc -vz <target-ip> 6664 # Check if port 6664 is open and listening
If the server responds or the port is open without authentication, the system is likely vulnerable. It is recommended to upgrade Dalfox to version 2.13.0 or later, which enforces API key authentication or strips dangerous parameters.
Can you explain this vulnerability to me?
This vulnerability exists in Dalfox, an open-source XSS scanner, when it is run in REST API server mode prior to version 2.13.0. By default, the server listens on all network interfaces (0.0.0.0) at port 6664 without requiring an API key unless explicitly set. The issue arises because certain options, including FoundAction and FoundActionShell, are deserialized directly from attacker-supplied JSON in the POST /scan endpoint. These fields are then used without proper filtering, allowing an unauthenticated attacker who can access the server port to supply arbitrary shell commands. These commands will be executed on the host system whenever a scan finding is triggered.
How can this vulnerability impact me? :
This vulnerability has a critical impact because it allows remote unauthenticated attackers to execute arbitrary shell commands on the host running the Dalfox server. This can lead to complete system compromise, including full control over the affected machine, data theft, data destruction, or further network penetration.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Dalfox to version 2.13.0 or later, where the issue is fixed.
Alternatively, if upgrading is not immediately possible, avoid running Dalfox in REST API server mode bound to 0.0.0.0:6664 without an API key, or explicitly pass the --api-key option to require authentication.