Hahwul

Dalfox in REST API server mode is vulnerable to CVE-2026-45089, an unauthenticated arbitrary file create/append vulnerability, due to the `output`, `output-all`, and `debug` options being deserialized directly from the attacker's request body, allowing a network caller to create or append to any file writable by the dalfox process.

Dalfox in REST API server mode is vulnerable to unauthenticated remote code execution (CVE-2026-45087) because the server binds to 0.0.0.0:6664 by default without requiring an API key and deserializes attacker-supplied JSON in `POST /scan` without stripping the `FoundAction` and `FoundActionShell` fields, allowing arbitrary command execution.