Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-44668: FACTION: Unauthenticated access to sensitive data
CVE-2026-44668
Summary
FACTION's PenTesting Report Generation and Collaboration Framework allows an unauthorized user to read, modify, or delete sensitive data. This is a serious security risk because it can be exploited by anyone who knows how to take advantage of it. To protect yourself, update to the latest version of FACTION, specifically 1.8.3 or later.
Original title
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.in...
Original description
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3.
nvd CVSS3.1
9.8
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 26 May 2026 · Updated: 30 May 2026 · First seen: 26 May 2026