OFFSITE.DARK
← Signals

Jun 29, 2026

2 min

Sploitus

  • dalfox
  • xss
  • rce
  • cve-2026-45087
  • go

news

Dalfox Found-Action Deserialization RCE (CVE-2026-45087)

dalfox server mode POST /scan accepts FoundAction/FoundActionShell in JSON — unauthenticated RCE on 0.0.0.0:6664 when no --api-key.

Summary

CVE-2026-45087 is a critical (CVSS 10.0) unauthenticated command execution flaw in Dalfox < 2.13.0 when run as dalfox server. POST /scan deserializes attacker model.Options, including FoundAction and FoundActionShell; foundAction() runs exec.Command(shell, "-c", cmd) whenever any finding fires. Rapid7's Metasploit module exploit/linux/http/dalfox_server_rce_cve_2026_45087 weaponizes this path.

Key Findings

FindingDetail
CVECVE-2026-45087
ModeREST API server only (dalfox server)
Default bind0.0.0.0:6664 without --api-key
WeaknessCWE-15 — external control of execution options via JSON
Fixed version2.13.0 (strips FoundAction fields from API input)

Attack Chain

POST /scan { "url": "http://attacker/reflect", "options": { "found-action": "id", "found-action-shell": "/bin/sh" } }
        ↓
Dalfox scans → finds reflected XSS on attacker URL
        ↓
foundAction() executes attacker command as dalfox process user

Impact

Internet-exposed Dalfox servers become full-compromise hosts — common misuse includes leaving scanner daemons on CI or bug-bounty VPS images.

Mitigation

  1. Upgrade to Dalfox 2.13.0+.
  2. Never expose dalfox server publicly; bind 127.0.0.1 and require --api-key.
  3. Hunt for POST /scan with found-action / found-action-shell in HTTP logs.

Related Signals

Sources

→ Source