What is the CVSS score of CVE-2026-44668?

CVE-2026-44668 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of FACTION are affected by CVE-2026-44668?

FACTION pentesting framework versions prior to 1.8.3 contain an unauthenticated authorization bypass allowing remote attackers to read, modify, and delete report templates without any credentials.. A patch is available.

How to fix or mitigate CVE-2026-44668?

24 hours: Audit all FACTION installations, document current versions deployed, and create backup inventory of existing report templates. 7 days: Deploy FACTION 1.8.3 or later to all affected systems and verify template integrity post-patch. 30 days: Review audit logs for unauthorized template modifications in the past 90 days and validate all external pentesting deliverables against internal records.

FACTION CVE-2026-44668

EUVD-2026-31944 CRITICAL

Missing Authentication for Critical Function (CWE-306)

2026-05-26 GitHub_M

Authentication Bypass Faction

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 08, 2026 - 08:35 vuln.today

Analysis Generated

Jun 08, 2026 - 08:35 vuln.today

Patch available

May 26, 2026 - 19:02 EUVD

DescriptionGitHub Advisory

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3.

AnalysisAI

Unauthenticated authorization bypass in FACTION pentesting report framework prior to 1.8.3 allows remote attackers to read, modify, deactivate, and delete any boilerplate report template without credentials. The flaw stems from AccessControlInterceptor invoking actions without session validation, compounded by four BoilerPlateConfig action methods that perform no local auth check. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Discover exposed FACTION instance

Delivery

Send unauthenticated request to BoilerPlateConfig action

Exploit

Bypass AccessControlInterceptor session check

Execution

Invoke tempDelete or globalSaveTemplate

Impact

Exfiltrate or destroy boilerplate templates

Access

Discover exposed FACTION instance

Delivery

Send unauthenticated request to BoilerPlateConfig action

Exploit

Bypass AccessControlInterceptor session check

Execution

Invoke tempDelete or globalSaveTemplate

Impact

Exfiltrate or destroy boilerplate templates

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of FACTION versions before 1.8.3, requiring only network reachability to the Struts2 application's BoilerPlateConfig action endpoints (tempDelete, tempActive, globalSaveTemplate, searchTemplateDetail). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed but lean toward elevated risk for any internet-exposed FACTION instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who locates an internet-exposed FACTION instance issues unauthenticated HTTP requests directly to the BoilerPlateConfig action endpoints (such as tempDelete) and proceeds to enumerate, exfiltrate, overwrite, or wipe every boilerplate report template in the system, destroying institutional pentest reporting content or seeding malicious template language that later appears in client deliverables. SSVC classifies exploitation as automatable, so a simple script could iterate template IDs across many hosts; no PoC has been published, but the vendor's release notes describe the affected method names directly.
Remediation	Vendor-released patch: upgrade to FACTION 1.8.3, which both closes the AccessControlInterceptor gap for non-root namespaces (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all FACTION installations, document current versions deployed, and create backup inventory of existing report templates. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-44668 vulnerability details – vuln.today

Back

FACTION CVE-2026-44668

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code