CVE-2026-45089

Name of the Vulnerable Software and Affected Versions Dalfox versions prior to 2.13.0

Description When running in REST API server mode, the software fails to sanitize certain fields in the request body, allowing an unauthenticated network caller to create or append to any file writable by the process on the host filesystem. The issue occurs because the output, output-all, and debug fields in model.Options are deserialized directly from the request and passed to the scan engine's logging path. The logging function DalLog() opens the attacker-supplied path using os.O APPEND|os.O CREATE|os.O WRONLY and writes log lines to it, bypassing the IsLibrary guard intended to prevent file output in server mode. By default, no API key is required, enabling this unauthorized file manipulation.

Recommendations Update to version 2.13.0. As a temporary mitigation, restrict access to the REST API server or ensure it is not exposed to untrusted networks. Require the use of an API key by providing the --api-key flag at server startup to eliminate unauthenticated access.