CVE Catalog

CVE-2026-44668

Critical
Published: Translated: NVD NIST

Summary

FACTION is a framework for generating penetration testing reports. In versions prior to 1.8.3, AccessControlInterceptor did not validate session validity, allowing unauthorized attackers to access templates in the system.

Risk Assessment

The organization may be exposed to unauthorized access to sensitive data and the ability to modify or delete it, which could lead to serious operational consequences.

Recommendation

It is recommended to upgrade to version 1.8.3 or later to secure the system against this vulnerability.

Original NVD description (English source)

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS