VYPR

Faction

by Factionsecurity

Source repositories

CVEs (5)

  • CVE-2026-44668CriMay 26, 2026
    risk 0.57cvss 9.8epss 0.00

    FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in…

  • CVE-2026-44669HigMay 26, 2026
    risk 0.50cvss 8.7epss 0.00

    FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into…

  • CVE-2026-44667HigMay 26, 2026
    risk 0.50cvss 8.7epss 0.00

    FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then…

  • CVE-2025-27422HigMar 3, 2025
    risk 0.42cvss 7.5epss 0.00

    FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing…

  • CVE-2025-66022Nov 26, 2025
    risk 0.00cvss epss 0.01

    FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked,…