The Faction framework has a stored cross‑site scripting flaw that stems from the way attachment filenames are handled in the assessment preview feature. The application accepts a filename supplied by the user, stores it on the server, and later renders the value directly into the page’s HTML or attribute context without any sanitization or encoding. An attacker can embed JavaScript in an attachment name, and when any other user – including privileged staff – opens the preview the malicious code executes in that user’s browser. This gives the attacker the ability to hijack the user’s session, exfiltrate data, or perform other client‑side attacks. The weakness is a typical Stored XSS (CWE‑79) and has a severe potential impact on confidentiality and integrity of the target organization’s information.

The vulnerability affects only the Faction framework from the vendor FactionSecurity, specifically all releases before version 1.8.3. Users who have not applied the recent security release are exposed, while those running 1.8.3 or later have the issue fixed. No other products or versions are impacted.

The CVSS base score of 8.7 reflects the high severity and indicates that the flaw can be exploited by anyone who can influence the attachment filename field. Because the malicious payload is stored server‑side, it remains effective for subsequent users, making the attack persistent. The EPSS score is not disclosed and the vulnerability is not listed in CISA’s KEV database, but the technical description demonstrates that exploitation is straightforward: upload or rename an attachment with a crafted filename, then persuade or force a victim to view the preview. Privileged accounts are at greater risk because they typically have a higher level of trust and broader access, so an attacker who can compromise a privileged user’s session may gain substantial insider access.