CVE-2026-44667
Deferred Deferred - Pending Action
Stored XSS in Faction via Attachment Filenames

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-44667
EUVD
EUVD-2026-31942
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
factionsecurity faction to 1.8.3 (exc)
factionsecurity faction 1.8.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44667 is a stored cross-site scripting (XSS) vulnerability in the Faction PenTesting Report Generation and Collaboration Framework, affecting versions prior to 1.8.3.

The vulnerability occurs because user-supplied attachment filenames in remediation verification file preview flows are not properly validated or encoded before being stored and rendered in HTML and attribute contexts.

This allows attackers to inject malicious JavaScript code via crafted filenames, which then executes in the browsers of users who view the affected verification or remediation pages.

The issue arises from multiple code locations where raw filenames are embedded into JSON and HTML responses without proper escaping, including files like fileUpload.java, RemVulnData.java, and JSP files such as fileInfoJson.jsp and VerificationEdit.jsp.

Exploitation involves uploading a file with a malicious filename through the file upload endpoint, which then triggers script execution when privileged users view the remediation details.

Impact Analysis

This vulnerability can have severe impacts including session hijacking, unauthorized administrative actions, and potentially full platform compromise if an administrator is targeted.

Because the malicious payload is stored server-side and rendered to other users, the exploitation is persistent and can affect privileged accounts.

The attack vector is network-based with low complexity, requiring low privileges and user interaction, making it relatively easy for attackers to exploit.

The vulnerability impacts confidentiality and integrity of the system, allowing attackers to access or modify sensitive data and perform unauthorized actions.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious file uploads with malicious filenames containing script or HTML injection payloads, especially through the /service/fileUpload endpoint.

One detection approach is to inspect HTTP requests to the /service/fileUpload endpoint for filenames containing characters like <, >, or JavaScript event handlers (e.g., onerror).

Additionally, reviewing the remediation verification file preview flows accessed via /portal/RemVulnData or /portal/VerificationEdit for unexpected script execution or unusual HTML content can help identify exploitation.

  • Use network traffic capture tools (e.g., tcpdump or Wireshark) to filter HTTP POST requests to /service/fileUpload and examine filenames.
  • Example tcpdump command to capture relevant traffic: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/service/fileUpload'
  • Use curl or similar tools to test uploading files with suspicious filenames and observe if the application improperly renders them.
  • Check server logs for entries related to file uploads with suspicious filenames.
Mitigation Strategies

Immediate mitigation steps include upgrading the Faction application to version 1.8.3 or later, where the vulnerability is fixed by properly escaping filenames and validating input.

If upgrading is not immediately possible, implement input validation to reject filenames containing HTML or script characters and disable HTML escaping in affected endpoints.

Restrict access to the file upload and remediation verification endpoints to trusted users only, and monitor for suspicious activity.

Consider applying web application firewall (WAF) rules to block requests with suspicious filename patterns.

Compliance Impact

The vulnerability allows attacker-controlled JavaScript to execute in the browsers of users, including privileged accounts, leading to potential session hijacking, unauthorized administrative actions, or full platform compromise.

Such unauthorized access and potential data compromise can impact the confidentiality and integrity of sensitive information managed by the application.

This can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44667. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart