Cyber Resilience

CVE-2026-45087

CriticalRCE

Published: 27 May 2026

Published
27 May 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0115 62.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-45087 is a critical-severity External Control of System or Configuration Setting (CWE-15) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the…

more

operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote command injection on a publicly exposed REST API server directly maps to exploitation of public-facing apps and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-36356Shared CWE-306, CWE-78
CVE-2024-12847Shared CWE-306, CWE-78
CVE-2025-55583Shared CWE-306, CWE-78
CVE-2018-25115Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2025-7404Shared CWE-78
CVE-2026-0796Shared CWE-78
CVE-2026-2041Shared CWE-78
CVE-2025-64091Shared CWE-78

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-15 CWE-306

Vulnerability scanners directly detect externally controllable or misconfigured settings using standardized checklists.

addresses: CWE-306

Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.

addresses: CWE-306

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-306

Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.

addresses: CWE-306

Guarantees critical functions are protected by mandatory invocation of the access control mechanism.

addresses: CWE-306

Auditing sessions makes it possible to detect access to critical functions without required authentication.

addresses: CWE-306

The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.

addresses: CWE-306

Certification assesses that critical functions have required authentication controls in place.

References