CVE-2026-45087: CWE-15: External Control of System or Configuration Setting in hahwul dalfox
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.
AI Analysis
Technical Summary
Dalfox is an open-source XSS scanner that, before version 2.13.0, runs a REST API server binding to 0.0.0.0:6664 without requiring an API key by default. The server deserializes attacker-supplied JSON into model.Options, including fields FoundAction and FoundActionShell, which are propagated into scan options without sanitization. This allows unauthenticated remote attackers to inject arbitrary shell commands that the dalfox process executes on the host when a scan finding occurs. The vulnerability is identified as CWE-15 (External Control of System or Configuration Setting), CWE-78 (OS Command Injection), and CWE-306 (Missing Authentication for Critical Function). It has a CVSS 3.1 base score of 10.0 (critical). The issue is fixed in dalfox version 2.13.0.
Potential Impact
An unauthenticated remote attacker can execute arbitrary shell commands on the host running the vulnerable dalfox REST API server. This leads to complete system compromise, including full confidentiality, integrity, and availability impact. The vulnerability is critical with a CVSS score of 10.0, indicating high exploitability and severe consequences.
Mitigation Recommendations
Upgrade dalfox to version 2.13.0 or later, where this vulnerability is fixed. Until upgrading, restrict network access to the dalfox REST API server port (6664) to trusted users only and configure the server to require an API key by explicitly passing the --api-key option. Patch status is confirmed fixed in version 2.13.0.
CVE-2026-45087: CWE-15: External Control of System or Configuration Setting in hahwul dalfox
Description
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.
CVSS v3.1
Score 10.0critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Dalfox is an open-source XSS scanner that, before version 2.13.0, runs a REST API server binding to 0.0.0.0:6664 without requiring an API key by default. The server deserializes attacker-supplied JSON into model.Options, including fields FoundAction and FoundActionShell, which are propagated into scan options without sanitization. This allows unauthenticated remote attackers to inject arbitrary shell commands that the dalfox process executes on the host when a scan finding occurs. The vulnerability is identified as CWE-15 (External Control of System or Configuration Setting), CWE-78 (OS Command Injection), and CWE-306 (Missing Authentication for Critical Function). It has a CVSS 3.1 base score of 10.0 (critical). The issue is fixed in dalfox version 2.13.0.
Potential Impact
An unauthenticated remote attacker can execute arbitrary shell commands on the host running the vulnerable dalfox REST API server. This leads to complete system compromise, including full confidentiality, integrity, and availability impact. The vulnerability is critical with a CVSS score of 10.0, indicating high exploitability and severe consequences.
Mitigation Recommendations
Upgrade dalfox to version 2.13.0 or later, where this vulnerability is fixed. Until upgrading, restrict network access to the dalfox REST API server port (6664) to trusted users only and configure the server to require an API key by explicitly passing the --api-key option. Patch status is confirmed fixed in version 2.13.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T19:27:26.697Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a172e7fe29bf47b50d78aa8
Added to database: 5/27/2026, 5:48:47 PM
Last enriched: 5/27/2026, 6:04:02 PM
Last updated: 5/29/2026, 4:56:31 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.