CVE-2026-44668CRITICAL 9.8EPSS p28.1%

CVE-2026-44668CVE-2026-44668

Description

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.36% probability of exploitation · percentile 28.1% · 2026-06-18T12:00:27Z
Published2026-05-26
Last modified2026-05-26

Underlying weaknesses· 1

CWE-306

References

  1. https://github.com/factionsecurity/faction/releases/tag/1.8.3
  2. https://github.com/factionsecurity/faction/security/advisories/GHSA-7cv6-h22r-2qf2

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44667
CVE
CVE-2026-44669
CVE
CVE-2025-66022
CVE
CVE-2025-26961
CVE
CVE-2025-68929
CVE
CVE-2026-34531
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.