CVE-2026-45087

CRITICAL
Published May 27, 2026 Modified May 27, 2026 CWE-15 CWE-78 CWE-306

Description

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.

CVSS v3.1 Score

10.0
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weakness Type (CWE)

CWE-15 CWE-15
CWE-78 OS Command Injection
CWE-306 Missing Authentication

References

Frequently Asked Questions

What is CVE-2026-45087? +
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0. It has a CVSS v3.1 base score of 10.0 (CRITICAL).
How severe is CVE-2026-45087? +
CVE-2026-45087 has a CVSS v3.1 score of 10.0 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.
How do I check if I'm vulnerable to CVE-2026-45087? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-11166

For TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F, an attacker can impersonate a ground station …
CVE-2025-0425

Via the GUI of the "bestinformed Infoclient", a low-privileged user is by default able to change the server address of …
CVE-2025-41452

Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which could allow …
CVE-2025-64726

Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. …
CVE-2024-4326 9.8

A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient …
CVE-2024-38666 9.1

An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-45087 — free, no signup required.

Start Free Scan