CVE-2026-45089 affects Dalfox, an open-source XSS scanner, prior to version 2.13.0. When running in REST API server mode, the vulnerability allows unauthenticated attackers to create or append to arbitrary files on the host filesystem. The issue stems from improper handling of output, output-all, and debug fields that are deserialized from attacker requests and passed to the logging system. The logger opens attacker-supplied file paths with write permissions, and this occurs outside the IsLibrary guard, making it exploitable in server mode. No API key is required in default configuration, making this vulnerability easily exploitable by network attackers.