PT-2026-40550 · Dalfox · Dalfox

·

CVE-2026-45088

·

Published

2026-05-12

·

Updated

2026-06-25

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Dalfox versions prior to 2.13.0
Description When running in REST API server mode, the software fails to sanitize the custom-payload-file field within model.Options, which is deserialized directly from the request body and passed to the dalfox.Initialize function and the scan engine. The engine utilizes the voltFile.ReadLinesOrLiteral() function to read lines from any file path accessible to the process and embeds them as XSS payloads in outbound HTTP requests sent to a target URL controlled by the attacker. Since the server does not require an API key by default, an unauthenticated network attacker can exfiltrate the contents of arbitrary files from the host system line-by-line through scan traffic.
Recommendations Update to version 2.13.0. As a temporary mitigation, restrict access to the custom-payload-file field by stripping filesystem-dangerous fields from API-sourced requests. Ensure the server is started with a mandatory --api-key to prevent unauthenticated access.

Exploit

Fix

Missing Authentication

Files Accessible to External Parties

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45088
GHSA-35WR-X7V6-9FV2
GO-2026-5070

Affected Products

Dalfox