CVE-2026-45089
Deferred Deferred - Pending Action
Path Traversal in Dalfox XSS Scanner

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine's logging path. The logger opens the attacker-supplied path with os.O_APPEND|os.O_CREATE|os.O_WRONLY and writes scan log lines to it. Critically, this file write block lives outside the IsLibrary guard in DalLog, so it executes even in server/library mode where file output was never intended to operate. Because no API key is required in the default configuration, an unauthenticated network caller can create or append to any file writable by the dalfox process on the host filesystem. This vulnerability is fixed in 2.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45089
EUVD
EUVD-2026-32614
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dalfox dalfox 2.13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Dalfox, an open-source XSS scanner, when run in REST API server mode prior to version 2.13.0. The issue arises because certain fields (output, output-all, and debug) are deserialized directly from an attacker's request and used as file paths for logging without proper validation or restrictions. As a result, an attacker can supply a file path that the Dalfox process will open and write to, potentially creating or appending to any file writable by the Dalfox process on the host system.

This happens because the file write operation is performed outside the intended security guard (IsLibrary guard), allowing file output even when it was not intended. Additionally, since no API key is required by default, an unauthenticated attacker can exploit this vulnerability remotely.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to write or append arbitrary data to any file that the Dalfox process has permission to write on the host system. This can lead to unauthorized modification of files, potential data corruption, or even code injection if critical files are overwritten.

Such unauthorized file writes can compromise the integrity of the system, potentially allowing attackers to escalate privileges, disrupt services, or maintain persistence on the affected host.

Mitigation Strategies

To mitigate this vulnerability, upgrade Dalfox to version 2.13.0 or later, where the issue has been fixed.

Additionally, ensure that the Dalfox REST API server is not running with default configurations that allow unauthenticated access.

Compliance Impact

This vulnerability allows unauthenticated attackers to create or append arbitrary files on the host filesystem, potentially leading to corruption of critical system files and unauthorized modification of data.

Such unauthorized file manipulation can result in violations of data integrity and security requirements mandated by common standards and regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and auditability.

Because Dalfox by default does not require authentication for its REST API server mode, this vulnerability exposes systems to unauthorized access and modification, increasing the risk of non-compliance with these regulations.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for unauthenticated REST API requests to Dalfox server mode that include the fields `output`, `output-all`, or `debug` in the request body. These fields are used by attackers to exploit the vulnerability by specifying arbitrary file paths for log writing.

To detect exploitation attempts on your system, you can look for unexpected file creation or modification by the Dalfox process, especially files created or appended to at unusual paths.

Suggested commands to help detect this vulnerability or exploitation attempts include:

  • Use network monitoring tools (e.g., tcpdump or Wireshark) to capture HTTP POST requests to the Dalfox REST API server port and inspect the JSON body for the presence of `output`, `output-all`, or `debug` fields.
  • Example tcpdump command to capture traffic on port 3000 (replace with actual Dalfox REST API port): `tcpdump -A -s 0 'tcp port 3000 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'`
  • Search for recently created or modified files by the Dalfox process using commands like: `find / -user dalfox -type f -mtime -1` (assuming Dalfox runs under user 'dalfox')
  • Check Dalfox process logs or system audit logs for suspicious file write operations or unusual file paths.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart