XSS Vulnerability in Dalfox Open-Source Scanner Affects Multiple Versions
CVE-2026-45088

7.5HIGH

Key Information:

Vendor: Hahwul
Status: Dalfox
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-45088?

Dalfox, a widely used open-source XSS scanner, is affected by a vulnerability that allows an unauthenticated network attacker to exfiltrate sensitive information. When operating in REST API server mode prior to version 2.13.0, the tool directly deserializes input from an attacker’s request, enabling them to read arbitrary files on the host system. This occurs as payloads constructed by the attacker can be embedded in outbound HTTP requests, facilitating the extraction of data line-by-line. The vulnerability was addressed in version 2.13.0, underscoring the importance of keeping software updated to mitigate potential risks.

Affected Version(s)

dalfox < 2.13.0

References

https://github.com/hahwul/dalfox/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/hahwul/dalfox/releases/tag/v2.13.0

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45088 Data

JSON

Hahwul

What is CVE-2026-45088?

Affected Version(s)

References

CVSS V3.1

Timeline