Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3.

AI Analysis

Unauthenticated read, modify, and delete of boilerplate templates due to missing session checks

Basic Information

ID CVE-2026-44668

Source GitHub_M

Published May 26, 2026 at 17:43

Affected Product

Vendor factionsecurity

Product faction

Version < 1.8.3

Affected Versions factionsecurity faction < 1.8.3

CWE Classification

CWE-306

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Faction Security

Product FACTION

Version < 1.8.3

References

{
    "lastseen": "",
    "description": "FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3.",
    "published": "2026-05-26T17:43:49.177Z",
    "modified": "2026-05-26T17:43:49.177Z",
    "type": "cve",
    "title": "Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates",
    "source": "GitHub_M",
    "references": "https://github.com/factionsecurity/faction/security/advisories/GHSA-7cv6-h22r-2qf2\nhttps://github.com/factionsecurity/faction/releases/tag/1.8.3",
    "id": "CVE-2026-44668",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "factionsecurity faction < 1.8.3",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "faction",
    "version": "< 1.8.3",
    "vendor": "factionsecurity",
    "ai_description": "Unauthenticated read, modify, and delete of boilerplate templates due to missing session checks",
    "ai_severity": "Critical",
    "ai_vendor": "Faction Security",
    "ai_product": "FACTION",
    "ai_version": "< 1.8.3",
    "ai_score": 9.8
}

Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates_CVE-2026-44668