{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/hahwul/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dalfox \u003c= 2.12.0"],"_cs_severities":["high"],"_cs_tags":["xss","file-write","unauthenticated","CVE-2026-45089"],"_cs_type":"advisory","_cs_vendors":["hahwul"],"content_html":"\u003cp\u003eDalfox, a cross-platform vulnerability scanner, is susceptible to an unauthenticated arbitrary file create/append vulnerability (CVE-2026-45089) when run in REST API server mode. This vulnerability stems from the insecure handling of the \u003ccode\u003eoutput\u003c/code\u003e, \u003ccode\u003eoutput-all\u003c/code\u003e, and \u003ccode\u003edebug\u003c/code\u003e fields within the \u003ccode\u003emodel.Options\u003c/code\u003e struct. These fields are directly deserialized from the JSON request body of an attacker without proper sanitization, and then propagated into the scan engine\u0026rsquo;s logging path. Consequently, an attacker can create or append to any file on the host filesystem accessible to the dalfox process by sending a crafted POST request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint. The default configuration lacks API key authentication, compounding the risk. This affects dalfox versions 2.12.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a POST request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint of the dalfox REST API server.\u003c/li\u003e\n\u003cli\u003eThe request body contains a JSON object with the \u003ccode\u003eurl\u003c/code\u003e field set to the scan target and the \u003ccode\u003eoptions\u003c/code\u003e field containing attacker-controlled values for \u003ccode\u003eoutput\u003c/code\u003e, \u003ccode\u003eoutput-all\u003c/code\u003e, and \u003ccode\u003edebug\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epostScanHandler\u003c/code\u003e function binds the JSON request body to a \u003ccode\u003eReq\u003c/code\u003e struct, which includes the \u003ccode\u003eOptions\u003c/code\u003e field of type \u003ccode\u003emodel.Options\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eScanFromAPI\u003c/code\u003e function is called with the attacker-supplied \u003ccode\u003eURL\u003c/code\u003e and \u003ccode\u003eOptions\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eInitialize\u003c/code\u003e function copies the attacker-controlled \u003ccode\u003eOutputFile\u003c/code\u003e, \u003ccode\u003eOutputAll\u003c/code\u003e, and \u003ccode\u003eDebug\u003c/code\u003e values from the \u003ccode\u003eOptions\u003c/code\u003e struct into a new \u003ccode\u003enewOptions\u003c/code\u003e struct.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDalLog\u003c/code\u003e function is called to write log messages. Critically, the file write operation using \u003ccode\u003eos.OpenFile(options.OutputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)\u003c/code\u003e occurs outside the \u003ccode\u003eIsLibrary\u003c/code\u003e check.\u003c/li\u003e\n\u003cli\u003eThe attacker-specified file path is opened in append mode, and log messages are written to it. The URL parameter is also written verbatim in the logs, allowing partial content control.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary file creation or append on the dalfox host, leading to potential system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to create new files or append data to existing files on the dalfox host, provided the dalfox process has the necessary write permissions. This can lead to various impacts, including: arbitrary file creation (e.g., creating web shells in web-serving directories), arbitrary file append/corruption (e.g., corrupting application configuration files or cron entries), and potential remote code execution if the attacker can inject malicious content into a configuration file or script that is subsequently executed. The lack of authentication by default increases the severity, as any network-accessible dalfox instance is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Dalfox Unauthenticated File Write Attempt\u003c/code\u003e to identify attempts to exploit this vulnerability by monitoring for POST requests to the /scan endpoint with suspicious \u003ccode\u003eoutput\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eApply the recommended remediation by nullifying filesystem-dangerous fields from API-sourced requests in the \u003ccode\u003epostScanHandler\u003c/code\u003e function as outlined in the advisory. This includes setting \u003ccode\u003erq.Options.OutputFile = \u0026quot;\u0026quot;\u003c/code\u003e before calling \u003ccode\u003eScanFromAPI\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAs a defense-in-depth measure, guard the file write operation with \u003ccode\u003eIsLibrary\u003c/code\u003e in the \u003ccode\u003eDalLog\u003c/code\u003e function, ensuring that file writes only occur in non-library (CLI) mode.\u003c/li\u003e\n\u003cli\u003eEnforce the use of the \u003ccode\u003e--api-key\u003c/code\u003e option at server startup, making authentication mandatory for the REST API server.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of dalfox that incorporates these security fixes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:10:46Z","date_published":"2026-05-12T15:10:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-file-write/","summary":"Dalfox in REST API server mode is vulnerable to CVE-2026-45089, an unauthenticated arbitrary file create/append vulnerability, due to the `output`, `output-all`, and `debug` options being deserialized directly from the attacker's request body, allowing a network caller to create or append to any file writable by the dalfox process.","title":"Dalfox Server Mode Unauthenticated Arbitrary File Create/Append Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-file-write/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dalfox/v2 (\u003c= 2.12.0)"],"_cs_severities":["critical"],"_cs_tags":["rce","dalfox","cve-2026-45087"],"_cs_type":"advisory","_cs_vendors":["Hahwul"],"content_html":"\u003cp\u003eDalfox, a security auditing tool, is vulnerable to unauthenticated remote code execution (CVE-2026-45087) when running in REST API server mode (\u003ccode\u003edalfox server\u003c/code\u003e) with default settings. The server binds to \u003ccode\u003e0.0.0.0:6664\u003c/code\u003e and, unless explicitly configured with \u003ccode\u003e--api-key\u003c/code\u003e, does not require authentication. A flaw exists in how the server handles \u003ccode\u003emodel.Options\u003c/code\u003e, specifically \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e, which are deserialized directly from attacker-supplied JSON in \u003ccode\u003ePOST /scan\u003c/code\u003e. Because \u003ccode\u003edalfox.Initialize\u003c/code\u003e propagates these fields into the final scan options without sanitization, any unauthenticated attacker can execute arbitrary shell commands on the host OS whenever a scan finding is triggered. This vulnerability affects dalfox versions 2.12.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker starts a \u003ccode\u003edalfox server\u003c/code\u003e instance in REST API mode without specifying an API key, leaving it open to unauthenticated access.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a malicious web server that reflects input, ensuring any scan against it will produce a finding.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint of the dalfox server.\u003c/li\u003e\n\u003cli\u003eThe request includes a JSON payload containing the URL of the malicious web server and \u003ccode\u003eoptions\u003c/code\u003e with malicious values for \u003ccode\u003efound-action\u003c/code\u003e and \u003ccode\u003efound-action-shell\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epostScanHandler\u003c/code\u003e deserializes the JSON payload into a \u003ccode\u003eReq\u003c/code\u003e struct, including the \u003ccode\u003eoptions\u003c/code\u003e field which contains the malicious \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eScanFromAPI\u003c/code\u003e function is called, passing the attacker-controlled options to \u003ccode\u003edalfox.Initialize\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edalfox.Initialize\u003c/code\u003e copies the attacker-supplied \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e values into the scan options without sanitization.\u003c/li\u003e\n\u003cli\u003eWhen a finding is triggered during the scan, the \u003ccode\u003efoundAction\u003c/code\u003e function executes the attacker-supplied shell command using \u003ccode\u003eexec.Command\u003c/code\u003e, achieving remote code execution on the dalfox host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in unauthenticated remote code execution on the host running \u003ccode\u003edalfox server\u003c/code\u003e. This grants the attacker full read access to secrets, configuration files, and credentials accessible to the dalfox process. The attacker can perform arbitrary file writes, enabling persistence, backdoor installation, and data exfiltration. The default \u003ccode\u003e0.0.0.0\u003c/code\u003e bind address exposes the server to all network interfaces, potentially including public-facing ones in misconfigured environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eRequire API key:\u003c/strong\u003e Enforce the use of \u003ccode\u003e--api-key\u003c/code\u003e in REST server mode by rejecting server startup if no API key is provided, as described in the remediation suggestion within the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStrip \u003ccode\u003eFoundAction\u003c/code\u003e / \u003ccode\u003eFoundActionShell\u003c/code\u003e:\u003c/strong\u003e Sanitize API-sourced requests by removing the \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e options in the \u003ccode\u003epostScanHandler\u003c/code\u003e to prevent untrusted callers from setting execution-control options.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules:\u003c/strong\u003e Deploy the provided Sigma rules to your SIEM and tune them for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade Dalfox:\u003c/strong\u003e Upgrade to a patched version of Dalfox that addresses CVE-2026-45087.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:10:12Z","date_published":"2026-05-12T15:10:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-rce/","summary":"Dalfox in REST API server mode is vulnerable to unauthenticated remote code execution (CVE-2026-45087) because the server binds to 0.0.0.0:6664 by default without requiring an API key and deserializes attacker-supplied JSON in `POST /scan` without stripping the `FoundAction` and `FoundActionShell` fields, allowing arbitrary command execution.","title":"Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`","url":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Hahwul","version":"https://jsonfeed.org/version/1.1"}