CVE-2026-45090
Deferred Deferred - Pending Action
Dalfox XSS Scanner Remote Crash via Closed Channel

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage β€” which processes POST-body parameters (dp) β€” is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != "" (i.e., the attacker supplies the data field) and the target reflects at least one parameter. This vulnerability is fixed in 2.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45090
EUVD
EUVD-2026-32613
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dalfox dalfox 2.13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Dalfox, an open-source XSS scanner, prior to version 2.13.0. The issue occurs in the ParameterAnalysis component where two sequential worker stages write to the same results channel. The channel is closed after the first stage, but the second stage still attempts to write to this closed channel. This causes a Go runtime panic that crashes the entire Dalfox process.

In server mode, this crash can be triggered remotely by any unauthenticated user who can access the REST API, because the default configuration does not require an API key. The crash happens when the attacker supplies data that activates the second stage and the target reflects at least one parameter.

This vulnerability was fixed in Dalfox version 2.13.0.

Impact Analysis

The vulnerability can cause the Dalfox process to crash unexpectedly due to a runtime panic. In server mode, this crash can be triggered remotely by unauthenticated attackers, leading to a denial of service (DoS) condition.

This means that an attacker could disrupt the availability of the Dalfox scanning service, potentially interrupting automated security testing or other dependent processes.

Detection Guidance

This vulnerability causes the Dalfox process to crash with a Go runtime panic when a scanned parameter is reflected and the second stage writes to a closed channel.

Detection can be done by monitoring Dalfox server mode for unexpected crashes or panics when handling REST API requests, especially those including POST-body parameters.

Since the crash is remotely triggerable by unauthenticated callers supplying the data field, observing logs for repeated crashes or panic stack traces related to channel operations in Dalfox can indicate exploitation attempts.

No specific commands are provided in the available information.

Mitigation Strategies

The vulnerability is fixed in Dalfox version 2.13.0.

Immediate mitigation steps include upgrading Dalfox to version 2.13.0 or later.

Additionally, restricting access to the Dalfox REST API, for example by enabling API keys or limiting network access, can reduce the risk of remote exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45090. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart