{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45089/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dalfox \u003c= 2.12.0"],"_cs_severities":["high"],"_cs_tags":["xss","file-write","unauthenticated","CVE-2026-45089"],"_cs_type":"advisory","_cs_vendors":["hahwul"],"content_html":"\u003cp\u003eDalfox, a cross-platform vulnerability scanner, is susceptible to an unauthenticated arbitrary file create/append vulnerability (CVE-2026-45089) when run in REST API server mode. This vulnerability stems from the insecure handling of the \u003ccode\u003eoutput\u003c/code\u003e, \u003ccode\u003eoutput-all\u003c/code\u003e, and \u003ccode\u003edebug\u003c/code\u003e fields within the \u003ccode\u003emodel.Options\u003c/code\u003e struct. These fields are directly deserialized from the JSON request body of an attacker without proper sanitization, and then propagated into the scan engine\u0026rsquo;s logging path. Consequently, an attacker can create or append to any file on the host filesystem accessible to the dalfox process by sending a crafted POST request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint. The default configuration lacks API key authentication, compounding the risk. This affects dalfox versions 2.12.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a POST request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint of the dalfox REST API server.\u003c/li\u003e\n\u003cli\u003eThe request body contains a JSON object with the \u003ccode\u003eurl\u003c/code\u003e field set to the scan target and the \u003ccode\u003eoptions\u003c/code\u003e field containing attacker-controlled values for \u003ccode\u003eoutput\u003c/code\u003e, \u003ccode\u003eoutput-all\u003c/code\u003e, and \u003ccode\u003edebug\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epostScanHandler\u003c/code\u003e function binds the JSON request body to a \u003ccode\u003eReq\u003c/code\u003e struct, which includes the \u003ccode\u003eOptions\u003c/code\u003e field of type \u003ccode\u003emodel.Options\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eScanFromAPI\u003c/code\u003e function is called with the attacker-supplied \u003ccode\u003eURL\u003c/code\u003e and \u003ccode\u003eOptions\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eInitialize\u003c/code\u003e function copies the attacker-controlled \u003ccode\u003eOutputFile\u003c/code\u003e, \u003ccode\u003eOutputAll\u003c/code\u003e, and \u003ccode\u003eDebug\u003c/code\u003e values from the \u003ccode\u003eOptions\u003c/code\u003e struct into a new \u003ccode\u003enewOptions\u003c/code\u003e struct.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDalLog\u003c/code\u003e function is called to write log messages. Critically, the file write operation using \u003ccode\u003eos.OpenFile(options.OutputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)\u003c/code\u003e occurs outside the \u003ccode\u003eIsLibrary\u003c/code\u003e check.\u003c/li\u003e\n\u003cli\u003eThe attacker-specified file path is opened in append mode, and log messages are written to it. The URL parameter is also written verbatim in the logs, allowing partial content control.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary file creation or append on the dalfox host, leading to potential system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to create new files or append data to existing files on the dalfox host, provided the dalfox process has the necessary write permissions. This can lead to various impacts, including: arbitrary file creation (e.g., creating web shells in web-serving directories), arbitrary file append/corruption (e.g., corrupting application configuration files or cron entries), and potential remote code execution if the attacker can inject malicious content into a configuration file or script that is subsequently executed. The lack of authentication by default increases the severity, as any network-accessible dalfox instance is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Dalfox Unauthenticated File Write Attempt\u003c/code\u003e to identify attempts to exploit this vulnerability by monitoring for POST requests to the /scan endpoint with suspicious \u003ccode\u003eoutput\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eApply the recommended remediation by nullifying filesystem-dangerous fields from API-sourced requests in the \u003ccode\u003epostScanHandler\u003c/code\u003e function as outlined in the advisory. This includes setting \u003ccode\u003erq.Options.OutputFile = \u0026quot;\u0026quot;\u003c/code\u003e before calling \u003ccode\u003eScanFromAPI\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAs a defense-in-depth measure, guard the file write operation with \u003ccode\u003eIsLibrary\u003c/code\u003e in the \u003ccode\u003eDalLog\u003c/code\u003e function, ensuring that file writes only occur in non-library (CLI) mode.\u003c/li\u003e\n\u003cli\u003eEnforce the use of the \u003ccode\u003e--api-key\u003c/code\u003e option at server startup, making authentication mandatory for the REST API server.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of dalfox that incorporates these security fixes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:10:46Z","date_published":"2026-05-12T15:10:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-file-write/","summary":"Dalfox in REST API server mode is vulnerable to CVE-2026-45089, an unauthenticated arbitrary file create/append vulnerability, due to the `output`, `output-all`, and `debug` options being deserialized directly from the attacker's request body, allowing a network caller to create or append to any file writable by the dalfox process.","title":"Dalfox Server Mode Unauthenticated Arbitrary File Create/Append Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-file-write/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-45089","version":"https://jsonfeed.org/version/1.1"}