Can you explain this vulnerability to me?

CVE-2026-44667 is a stored cross-site scripting (XSS) vulnerability in the Faction PenTesting Report Generation and Collaboration Framework, affecting versions prior to 1.8.3.

The vulnerability occurs because user-supplied attachment filenames in remediation verification file preview flows are not properly validated or encoded before being stored and rendered in HTML and attribute contexts.

This allows attackers to inject malicious JavaScript code via crafted filenames, which then executes in the browsers of users who view the affected verification or remediation pages.

The issue arises from multiple code locations where raw filenames are embedded into JSON and HTML responses without proper escaping, including files like fileUpload.java, RemVulnData.java, and JSP files such as fileInfoJson.jsp and VerificationEdit.jsp.

Exploitation involves uploading a file with a malicious filename through the file upload endpoint, which then triggers script execution when privileged users view the remediation details.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including session hijacking, unauthorized administrative actions, and potentially full platform compromise if an administrator is targeted.

Because the malicious payload is stored server-side and rendered to other users, the exploitation is persistent and can affect privileged accounts.

The attack vector is network-based with low complexity, requiring low privileges and user interaction, making it relatively easy for attackers to exploit.

The vulnerability impacts confidentiality and integrity of the system, allowing attackers to access or modify sensitive data and perform unauthorized actions.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for suspicious file uploads with malicious filenames containing script or HTML injection payloads, especially through the /service/fileUpload endpoint.

One detection approach is to inspect HTTP requests to the /service/fileUpload endpoint for filenames containing characters like <, >, or JavaScript event handlers (e.g., onerror).

Additionally, reviewing the remediation verification file preview flows accessed via /portal/RemVulnData or /portal/VerificationEdit for unexpected script execution or unusual HTML content can help identify exploitation.

• Use network traffic capture tools (e.g., tcpdump or Wireshark) to filter HTTP POST requests to /service/fileUpload and examine filenames.
• Example tcpdump command to capture relevant traffic: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/service/fileUpload'
• Use curl or similar tools to test uploading files with suspicious filenames and observe if the application improperly renders them.
• Check server logs for entries related to file uploads with suspicious filenames.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the Faction application to version 1.8.3 or later, where the vulnerability is fixed by properly escaping filenames and validating input.

If upgrading is not immediately possible, implement input validation to reject filenames containing HTML or script characters and disable HTML escaping in affected endpoints.

Restrict access to the file upload and remediation verification endpoints to trusted users only, and monitor for suspicious activity.

Consider applying web application firewall (WAF) rules to block requests with suspicious filename patterns.

Useful 0 Not Useful 0