CVE-2026-44668
CriticalSummary
FACTION is a framework for generating penetration testing reports. In versions prior to 1.8.3, AccessControlInterceptor did not validate session validity, allowing unauthorized attackers to access templates in the system.
Risk Assessment
The organization may be exposed to unauthorized access to sensitive data and the ability to modify or delete it, which could lead to serious operational consequences.
Recommendation
It is recommended to upgrade to version 1.8.3 or later to secure the system against this vulnerability.
Original NVD description (English source)
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3.

