A vulnerability in Dalfox XSS scanner prior to version 2.13.0 allows unauthenticated attackers to create or append to arbitrary files on the host filesystem when running in REST API server mode. The vulnerability stems from improper handling of output, output-all, and debug fields that are deserialized from attacker requests and used in file operations without proper validation. No API key is required in default configuration, making this easily exploitable. The issue affects the logging functionality that executes even in server/library mode where file output was not intended.