CVE-2026-44667 - Vulnerability Details

Description

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3.

Published: 2026-05-26

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

FACTION is vulnerable to a high‑severity stored XSS flaw that occurs when an attacker uploads a remediation verification attachment with a specially crafted filename. The filename is persisted on the server and subsequently injected into HTML and attribute contexts without any form of output encoding, allowing the attacker to execute arbitrary JavaScript in the browser of any user who views the affected attachment preview. Because the payload is stored server‑side, the vulnerability is replayable and can impact accounts with elevated privileges.

Affected Systems

The flaw affects the FACTION PenTesting Report Generation and Collaboration Framework prior to version 1.8.3. Any installation that has not applied the 1.8.3 update and still uses the legacy attachment preview rendering path is exposed.

Risk and Exploitability

The CVSS score of 8.7 signals a high level of risk. The absence of an EPSS score does not quantify exploitation probability, but the persistent nature of the flaw and its impact on privileged users make exploitation of interest. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly documented exploit. The likely attack vector is the file upload feature of the remediation verification flow, requiring an authenticated user with permission to upload attachments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

factionsecurity

faction

affected

Version	Status	Constraints
`< 1.8.3`	affected	—

No data.

Vendor Product Confidence Versions

Factionsecurity

Faction

100%

Version	Status	Scheme	Platform
`[0,1.8.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official 1.8.3 release of FACTION to eliminate the stored XSS flaw
If upgrading is not immediately possible, sanitize or disable the attachment preview rendering to prevent unencoded filenames from reaching browsers
Review all existing attachments and re‑upload them with safe filenames or remove suspicious ones

Generated by OpenCVE AI on May 26, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/factionsecurity/faction/releases/tag/1.8.3
https://github.com/factionsecurity/faction/security/advisories/GHSA-x3fm-rrxj-rg66

History

Tue, 26 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Factionsecurity Factionsecurity faction
Vendors & Products		Factionsecurity Factionsecurity faction

Tue, 26 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3.
Title		Faction: Stored XSS in Remediation Verification Attachment Filename Preview Rendering
Weaknesses		CWE-79
References		https://github.com/factionsecurity/faction/releases/tag/1.8.3 https://github.com/factionsecurity/faction/security/advisories/GHSA-x3fm-rrxj-rg66
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Factionsecurity Faction

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-26T17:42:39.244Z

Updated: 2026-05-26T17:42:39.244Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44667

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-26T18:16:50.120

Modified: 2026-05-26T19:37:00.120

Link: CVE-2026-44667

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T21:15:16Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object