AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-2g4x-fq3j-cgq4: Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode)

highvulnerability

security

Source: GitHub Advisory DatabaseMay 12, 2026CVE-2026-45090

Summary

Dalfox, a security scanning tool, has a vulnerability in its server mode where an unauthenticated attacker can crash the entire process by sending a specially crafted request. The bug occurs because the code closes a communication channel (a Go channel, which is used to pass data between concurrent tasks) after the first stage of parameter scanning finishes, but then tries to use that same closed channel in a second stage, causing a runtime panic (an unrecoverable error that terminates the program). Since the server has no authentication by default and listens on all network interfaces, any remote attacker can trigger this crash.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 12, 2026

Classification

Attack SophisticationModerate

Affected Packages

github.com/hahwul/dalfox/v2@<= 2.12.0 (fixed: 2.13.0)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-2g4x-fq3j-cgq4

First tracked: May 12, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%