Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
5 vulnerabilities by factionsecurity
CVE-2026-44668 (GCVE-0-2026-44668)
Vulnerability from cvelistv5 – Published: 2026-05-26 17:43 – Updated: 2026-05-27 14:01
VLAI
Title
Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates
Summary
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/factionsecurity/faction/securi… | x_refsource_CONFIRM |
| https://github.com/factionsecurity/faction/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| factionsecurity | faction |
Affected:
< 1.8.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44668",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T14:00:07.917935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:01:36.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-7cv6-h22r-2qf2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "faction",
"vendor": "factionsecurity",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:43:49.177Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/factionsecurity/faction/security/advisories/GHSA-7cv6-h22r-2qf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-7cv6-h22r-2qf2"
},
{
"name": "https://github.com/factionsecurity/faction/releases/tag/1.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/factionsecurity/faction/releases/tag/1.8.3"
}
],
"source": {
"advisory": "GHSA-7cv6-h22r-2qf2",
"discovery": "UNKNOWN"
},
"title": "Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44668",
"datePublished": "2026-05-26T17:43:49.177Z",
"dateReserved": "2026-05-07T16:20:08.659Z",
"dateUpdated": "2026-05-27T14:01:36.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44669 (GCVE-0-2026-44669)
Vulnerability from cvelistv5 – Published: 2026-05-26 17:43 – Updated: 2026-05-26 18:25
VLAI
Title
Faction: Stored XSS in Assessment Attachment Filename Preview Rendering
Summary
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who views the affected page. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3.
Severity
8.7 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/factionsecurity/faction/securi… | x_refsource_CONFIRM |
| https://github.com/factionsecurity/faction/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| factionsecurity | faction |
Affected:
< 1.8.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44669",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T18:25:31.338980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T18:25:37.778Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-f2jc-wx44-mr54"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "faction",
"vendor": "factionsecurity",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who views the affected page. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:43:11.829Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/factionsecurity/faction/security/advisories/GHSA-f2jc-wx44-mr54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-f2jc-wx44-mr54"
},
{
"name": "https://github.com/factionsecurity/faction/releases/tag/1.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/factionsecurity/faction/releases/tag/1.8.3"
}
],
"source": {
"advisory": "GHSA-f2jc-wx44-mr54",
"discovery": "UNKNOWN"
},
"title": "Faction: Stored XSS in Assessment Attachment Filename Preview Rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44669",
"datePublished": "2026-05-26T17:43:11.829Z",
"dateReserved": "2026-05-07T16:20:08.659Z",
"dateUpdated": "2026-05-26T18:25:37.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44667 (GCVE-0-2026-44667)
Vulnerability from cvelistv5 – Published: 2026-05-26 17:42 – Updated: 2026-05-27 16:07
VLAI
Title
Faction: Stored XSS in Remediation Verification Attachment Filename Preview Rendering
Summary
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3.
Severity
8.7 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/factionsecurity/faction/securi… | x_refsource_CONFIRM |
| https://github.com/factionsecurity/faction/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| factionsecurity | faction |
Affected:
< 1.8.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44667",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T16:07:30.342793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T16:07:42.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-x3fm-rrxj-rg66"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "faction",
"vendor": "factionsecurity",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:42:39.244Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/factionsecurity/faction/security/advisories/GHSA-x3fm-rrxj-rg66",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-x3fm-rrxj-rg66"
},
{
"name": "https://github.com/factionsecurity/faction/releases/tag/1.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/factionsecurity/faction/releases/tag/1.8.3"
}
],
"source": {
"advisory": "GHSA-x3fm-rrxj-rg66",
"discovery": "UNKNOWN"
},
"title": "Faction: Stored XSS in Remediation Verification Attachment Filename Preview Rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44667",
"datePublished": "2026-05-26T17:42:39.244Z",
"dateReserved": "2026-05-07T16:20:08.659Z",
"dateUpdated": "2026-05-27T16:07:42.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66022 (GCVE-0-2025-66022)
Vulnerability from cvelistv5 – Published: 2025-11-26 02:08 – Updated: 2025-11-26 15:13
VLAI
Title
FACTION Unauthenticated Custom Extension Upload leads to RCE
Summary
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.
Severity
9.7 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/factionsecurity/faction/securi… | x_refsource_CONFIRM |
| https://github.com/factionsecurity/faction/commit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| factionsecurity | faction |
Affected:
< 1.7.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66022",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T15:13:38.733818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T15:13:42.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "faction",
"vendor": "factionsecurity",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction\u2019s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T02:08:14.805Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w"
},
{
"name": "https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b389311b16c62c3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b389311b16c62c3"
}
],
"source": {
"advisory": "GHSA-xr72-2g43-586w",
"discovery": "UNKNOWN"
},
"title": "FACTION Unauthenticated Custom Extension Upload leads to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66022",
"datePublished": "2025-11-26T02:08:14.805Z",
"dateReserved": "2025-11-21T01:08:02.613Z",
"dateUpdated": "2025-11-26T15:13:42.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27422 (GCVE-0-2025-27422)
Vulnerability from cvelistv5 – Published: 2025-03-03 16:25 – Updated: 2025-03-03 18:53
VLAI
Title
FACTION Allows Authentication Bypass via User Creation
Summary
FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing information, secure password, etc) but there are no other controls stopping them. This vulnerability is fixed in 1.4.3.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/factionsecurity/faction/securi… | x_refsource_CONFIRM |
| https://github.com/factionsecurity/faction/commit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| factionsecurity | faction |
Affected:
< 1.4.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27422",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T18:52:50.307796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T18:53:10.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "faction",
"vendor": "factionsecurity",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing information, secure password, etc) but there are no other controls stopping them. This vulnerability is fixed in 1.4.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T16:25:48.918Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/factionsecurity/faction/security/advisories/GHSA-97cv-f342-v2jc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/factionsecurity/faction/security/advisories/GHSA-97cv-f342-v2jc"
},
{
"name": "https://github.com/factionsecurity/faction/commit/0a6848d388d6dba1c81918cce2772b1e805cd3d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/factionsecurity/faction/commit/0a6848d388d6dba1c81918cce2772b1e805cd3d6"
}
],
"source": {
"advisory": "GHSA-97cv-f342-v2jc",
"discovery": "UNKNOWN"
},
"title": "FACTION Allows Authentication Bypass via User Creation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27422",
"datePublished": "2025-03-03T16:25:48.918Z",
"dateReserved": "2025-02-24T15:51:17.269Z",
"dateUpdated": "2025-03-03T18:53:10.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}