Remote Code Execution Vulnerability in Dalfox XSS Scanner
CVE-2026-45087

10CRITICAL

Key Information:

Vendor: Hahwul
Status: Dalfox
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-45087?

An unauthenticated remote code execution vulnerability exists in the Dalfox XSS scanner when run in REST API server mode. By default, the server binds to all interfaces (0.0.0.0:6664) and does not require an API key unless specified. This allows any unauthorized user to send specially crafted JSON payloads to the server through the POST /scan endpoint. The deserialization of these inputs, without proper validation, enables an attacker to execute arbitrary shell commands on the host system whenever a scan finding occurs. The vulnerability has been addressed in version 2.13.0.

Affected Version(s)

dalfox < 2.13.0

References

https://github.com/hahwul/dalfox/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/hahwul/dalfox/releases/tag/v2.13.0

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45087 Data

JSON

Hahwul

What is CVE-2026-45087?

Affected Version(s)

References

CVSS V3.1

Timeline