Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server),…

Critical vulnerability in Dalfox open-source XSS scanner prior to version 2.13.0. When running in REST API server mode, the application binds to all interfaces (0.0.0.0:6664) without requiring authentication by default. Attackers can exploit unsafe deserialization of user-supplied JSON in POST /scan requests to execute arbitrary shell commands on the host system. The vulnerability occurs because FoundAction and FoundActionShell fields from model.Options are directly deserialized from attacker-controlled input and propagated to scan options without validation. Any unauthenticated user who can reach the server port can achieve remote code execution when scan findings are triggered. This issue has been patched in version 2.13.0.