XSS Scanner Dalfox Hit by Unauthenticated RCE: CVE-2026-45087 (CVSS 10.0)

The XSS scanner Dalfox, widely used by security researchers and bug-bounty hunters as a tool to hunt down other people's vulnerabilities, has been hit with CVE-2026-45087, a flaw carrying the maximum CVSS score of 10.0. Project maintainer hahwul disclosed the issue on May 27, 2026 as a GitHub Security Advisory (GHSA-v25v-m36w-jp4h), and the fix landed in v2.13.0.

The most striking thing about it is the structure. The researchers running Dalfox to "find XSS in someone else's web app" now find that the Dalfox server itself can be attacked and made to execute arbitrary commands, a vulnerability that flips attacker and defender. Bug-bounty hunters' workstations and automated XSS checkers embedded in CI/CD pipelines become wholesale RCE footholds for attackers.

The problem lives in the REST API mode launched by the dalfox server subcommand. By default it binds to 0.0.0.0:6664 with the API key left as an empty string (i.e. no authentication), so any peer on the network can send a JSON payload via POST /scan with a shell command baked in, and that command runs with Dalfox's process privileges. The bug was reported by Emmanuel David (@drmingler).

What Dalfox Is

Dalfox is an open-source scanner from Korean researcher hahwul that automatically crawls web apps for XSS (cross-site scripting). With more than 5,000 GitHub stars, it sits alongside amass and nuclei as one of the "first tools you reach for" in bug-bounty circles.

Typical usage looks like this:

• Bug-bounty hunters running one-off scans against a target site with dalfox url ...
• Security firms operating it as an always-on REST API server in dalfox server mode for client engagements
• Embedding it in CI/CD pipelines (GitHub Actions, GitLab CI) for automated XSS checks before release
• Invoking it from tools like ChatGPT or Claude Code to automate security testing through an AI assistant
• Parameter discovery, WAF fingerprinting, and multi-format output (JSON / SARIF / Markdown / TOML) for direct inclusion in assessment reports

The trouble shows up only in the "always-on REST API server" case. Users running one-off CLI scans are not affected by this vulnerability.

Inside CVE-2026-45087

The vulnerability emerges from four overlapping design choices. NVD's classification stacks three CWEs together: CWE-78 (OS Command Injection), CWE-306 (Missing Authentication for Critical Function), and CWE-15 (External Control of System or Configuration Setting).

The vulnerable code path runs as follows. An attacker-supplied JSON payload flows from postScanHandler() to ScanFromAPI() to dalfox.Initialize() to foundAction() and finally into exec.Command(), which fires off a shell. Along the way, fields on model.Options such as FoundAction and FoundActionShell are never sanitized, so the attacker's string is dropped verbatim into the shell command.

Command execution is "wired to fire only when a vulnerability is detected," but an attacker can simply point Dalfox at a server they control that always reflects an XSS payload back. Detection then triggers reliably, and the planted command runs every time. The example payload from the advisory looks like this:

{
  "url": "http://attacker-server/?q=test",
  "options": {
    "found-action": "echo owned >/tmp/dalfox_rce_marker",
    "found-action-shell": "bash",
    "use-headless": false,
    "worker": 1,
    "limit-result": 1
  }
}

That one simple request is enough to drop an attacker-chosen command onto the machine running Dalfox. Dalfox is often run with root privileges so it can perform host vulnerability scans, in which case compromise of the process is immediately compromise of the whole host.

Why the Inverted-Roles Attack Pattern Works

In the bug-bounty world, it is normal for hunters to keep tools like Dalfox, nuclei, or ZAP running on their workstation and scan several targets in parallel. When the scanner that was supposed to act as "radar watching the target" has a vulnerability of its own, the radar turns into a homing beacon broadcasting the operator's location to attackers.

The motivation for attackers is clear. A bug-bounty hunter's workstation tends to accumulate exactly the kind of information attackers want:

• Past scan results, plus raw details on vulnerabilities that have not yet been reported
• API keys for multiple bug-bounty platforms (HackerOne, Bugcrowd, Synack)
• Confidential client information, SSL/TLS private keys, internal URL maps
• SSH keys, AWS credentials, GitHub tokens, work Slack tokens
• NDAs with client companies, undisclosed penetration-test reports

For an attacker, that material carries both "direct monetary value" and "informational advantage to sell vulnerabilities before another hunter does." Hijacking a Dalfox instance is an extremely high-ROI bet.

Similar patterns have shown up before. From Trivy's two consecutive compromises to LiteLLM's authentication bypass, the trend of "the tools that security and operations engineers use every day becoming attack surfaces" has been gathering clear momentum since 2025. Going after the defenders' toolkit yields "compounding attack value" for attackers, because it opens the door to all the client and customer data those defenders are entrusted with.

What To Do Now

1. Update Dalfox to v2.13.0 or later. Grab it from the GitHub release page. Homebrew users can run brew upgrade dalfox; from Go directly, go install github.com/hahwul/dalfox/v2@v2.13.0. Also check Snap and Nixpkgs for updated packages.

2. Even on v2.13.0, always set an API key. Even in the fixed release, running with no API key is still dangerous. Use the --api-key option with a long random string and have clients pass it back via the X-API-Key header.

3. Restrict the bind address to localhost. If there is no need for external access, restrict the bind with --host 127.0.0.1. For teams sharing an instance, the safer approach is to keep it inside a mesh VPN such as Tailscale.

4. Audit the last month of logs. Review Dalfox access logs for any POST /scan traffic that did not come from your own source IPs. Check for suspicious files like /tmp/dalfox_rce_marker, and review child processes spawned by the Dalfox process (ps / auditd logs).

5. Rotate every credential on the host where Dalfox was running. If the affected version was exposed externally at any point, assume past scan results have leaked. Rotate bug-bounty platform API keys, SSH keys, AWS/GCP/Azure credentials, GitHub tokens, and Slack/Discord webhooks—everything.

6. If Dalfox is wired into a CI/CD pipeline, revisit your runner setup. If you run Dalfox inside a GitHub Actions job or similar, confirm that each job spins up a fresh runner container (ephemeral runner). On long-lived runners, the runner's authentication token and write access to the repository become the next link in the attacker's chain.

CISA KEV Status And Related Coverage

As of May 28, 2026, CVE-2026-45087 is not listed in CISA's KEV catalog. Because Dalfox sits in the offensive-tools category, it falls outside KEV's primary remit of "U.S. federal agency production environments." That said, the blast radius—potential contamination of the wider security industry's ecosystem—means discussion is likely to heat up outside KEV, at DEF CON, Black Hat, and various national CERTs.

On this site, we keep a continuously updated index of CVEs that CISA has flagged as actively exploited in our CISA KEV Dashboard (Japanese edition). For the broader class of "attacks against the security tools themselves," our OSS Supply Chain Scanner tracks the current status of dependencies including Dalfox.

Dalfox v3.0.0 is in the works as a full Rust rewrite, and the v2 line is set to enter a maintenance phase focused on security fixes. One thing to watch as v3 ships is whether the team takes the lesson from this incident and defaults the bind address to localhost while making an API key mandatory.

References

• ▸ NVD - CVE-2026-45087 Detail
• ▸ GitHub Security Advisory - GHSA-v25v-m36w-jp4h
• ▸ GitHub - Dalfox v2.13.0 Release
• ▸ Dalfox official repository
• ▸ CISA - Known Exploited Vulnerabilities Catalog