top of page
perceptive_background_267k.jpg

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-…

Published:

26 mei 2026 om 22:00:00

Alert date:

27 mei 2026 om 20:13:41

Source:

nvd.nist.gov

Click to open the original link from this advisory

Security Tools, Web Technologies

A vulnerability in Dalfox XSS scanner prior to version 2.13.0 allows unauthenticated attackers to create or append to arbitrary files on the host filesystem when running in REST API server mode. The vulnerability stems from improper handling of output, output-all, and debug fields that are deserialized from attacker requests and used in file operations without proper validation. No API key is required in default configuration, making this easily exploitable. The issue affects the logging functionality that executes even in server/library mode where file output was not intended.

Technical details

Mitigation steps:

Affected products:

Dalfox

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-45089
https://github.com/hahwul/dalfox/releases/tag/v2.13.0
https://github.com/hahwul/dalfox/security/advisories/GHSA-8hf9-3q64-q2qf

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page