XSS Scanner Vulnerability in Dalfox by Hahwul
CVE-2026-45089

8.2HIGH

Key Information:

Vendor: Hahwul
Status: Dalfox
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-45089?

Dalfox, an open-source automation tool designed for XSS scanning, presents critical security concerns for versions before 2.13.0. When run in REST API server mode, it improperly handles JSON-tagged input from attackers, allowing them to manipulate the logging path. The vulnerability arises due to a lack of API key validation in default settings, enabling unauthenticated users to create or modify files on the host system. This flaw highlights the importance of adhering to secure coding practices and robust authentication mechanisms in web applications.

Affected Version(s)

dalfox < 2.13.0

References

https://github.com/hahwul/dalfox/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/hahwul/dalfox/releases/tag/v2.13.0

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45089 Data

JSON