CVE-2026-45090
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dalfox | dalfox | 2.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in Dalfox, an open-source XSS scanner, prior to version 2.13.0. The issue occurs in the ParameterAnalysis component where two sequential worker stages write to the same results channel. The channel is closed after the first stage, but the second stage still attempts to write to this closed channel. This causes a Go runtime panic that crashes the entire Dalfox process.
In server mode, this crash can be triggered remotely by any unauthenticated user who can access the REST API, because the default configuration does not require an API key. The crash happens when the attacker supplies data that activates the second stage and the target reflects at least one parameter.
This vulnerability was fixed in Dalfox version 2.13.0.
How can this vulnerability impact me? :
The vulnerability can cause the Dalfox process to crash unexpectedly due to a runtime panic. In server mode, this crash can be triggered remotely by unauthenticated attackers, leading to a denial of service (DoS) condition.
This means that an attacker could disrupt the availability of the Dalfox scanning service, potentially interrupting automated security testing or other dependent processes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes the Dalfox process to crash with a Go runtime panic when a scanned parameter is reflected and the second stage writes to a closed channel.
Detection can be done by monitoring Dalfox server mode for unexpected crashes or panics when handling REST API requests, especially those including POST-body parameters.
Since the crash is remotely triggerable by unauthenticated callers supplying the data field, observing logs for repeated crashes or panic stack traces related to channel operations in Dalfox can indicate exploitation attempts.
No specific commands are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Dalfox version 2.13.0.
Immediate mitigation steps include upgrading Dalfox to version 2.13.0 or later.
Additionally, restricting access to the Dalfox REST API, for example by enabling API keys or limiting network access, can reduce the risk of remote exploitation.