Emmanuel David

**Name of the Vulnerable Software and Affected Versions** Dalfox versions prior to 2.13.0 **Description** When running in REST API server mode, the software fails to sanitize the `custom-payload-file` field within `model.Options`, which is deserialized directly from the request body and passed to the `dalfox.Initialize` function and the scan engine. The engine utilizes the `voltFile.ReadLinesOrLiteral()` function to read lines from any file path accessible to the process and embeds them as XSS payloads in outbound HTTP requests sent to a target URL controlled by the attacker. Since the server does not require an API key by default, an unauthenticated network attacker can exfiltrate the contents of arbitrary files from the host system line-by-line through scan traffic. **Recommendations** Update to version 2.13.0. As a temporary mitigation, restrict access to the `custom-payload-file` field by stripping filesystem-dangerous fields from API-sourced requests. Ensure the server is started with a mandatory `--api-key` to prevent unauthenticated access.