Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-…

A vulnerability in Dalfox XSS scanner versions prior to 2.13.0 allows unauthenticated attackers to exfiltrate arbitrary files when the tool runs in REST API server mode. The vulnerability occurs through the custom-payload-file field which accepts attacker-controlled file paths without validation. The scanner reads lines from specified files and embeds them as XSS payloads in HTTP requests, enabling file content exfiltration. No API key authentication is required by default, making this vulnerability easily exploitable by network attackers. The issue has been fixed in version 2.13.0.