CVE-2026-45087

Name of the Vulnerable Software and Affected Versions dalfox versions prior to 2.12.0

Description When running in REST API server mode (dalfox server), the software binds to 0.0.0.0:6664 by default without requiring authentication. An unauthenticated attacker can send a request to the '/scan' endpoint providing arbitrary values for the found-action and found-action-shell variables. These values are deserialized and passed to the foundAction() function, which executes them via exec.Command whenever a scan finding is triggered. By hosting a reflective server to guarantee a finding, an attacker can achieve full remote code execution on the host system.

Recommendations For versions prior to 2.12.0, ensure the server is started with the --api-key flag to enable mandatory authentication. As a temporary mitigation, restrict network access to the server port (default 6664) to trusted sources only. Avoid using the found-action and found-action-shell variables in API requests.