CVE-2026-44669
Stored XSS in Faction via Attachment Filenames
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| factionsecurity | faction | to 1.8.3 (exc) |
| factionsecurity | faction | to 1.7.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44669 is a stored cross-site scripting (XSS) vulnerability in the Faction application, specifically affecting versions 1.7.7 and earlier.
The issue arises from improper handling of user-supplied attachment filenames in assessment file preview flows, where filenames are stored without validation or encoding and later rendered in HTML/attribute contexts.
This allows attackers to inject malicious JavaScript payloads that execute when other users view the affected page, making the vulnerability persistent and potentially impacting privileged accounts.
Attackers exploit this by uploading a file with a crafted filename containing JavaScript code, which executes when the filename is rendered in the preview component.
How can this vulnerability impact me? :
This vulnerability can be abused to perform unauthorized actions on behalf of the victim user, such as administrative operations, data theft, or platform configuration changes.
Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts, potentially leading to full administrative takeover.
The severity is rated as High (CVSS score 8.7) due to the potential for confidentiality and integrity loss.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying files uploaded to the Faction application with attachment filenames containing suspicious or malicious JavaScript code. Since the issue arises from stored cross-site scripting via attachment filenames in assessment file preview flows, monitoring or searching for filenames with HTML or script characters is key.
One approach is to query the database or application logs for filenames containing script tags or other suspicious payloads. Additionally, inspecting the assessment file preview pages for unexpected script execution can help detect exploitation.
Specific commands depend on your environment, but examples include:
- Using grep or similar tools to search for suspicious filenames in logs or database exports, e.g., `grep -iE '<script|javascript:' /path/to/logs`
- Querying the database for filenames containing HTML or script characters, e.g., `SELECT filename FROM attachments WHERE filename LIKE '%<script%' OR filename LIKE '%javascript:%';`
- Using browser developer tools or automated scanners to inspect the assessment file preview pages for injected scripts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Faction application to version 1.8.3 or later, where this vulnerability is fixed.
Version 1.8.3 includes proper escaping of filenames in upload responses based on context (HTML, JSON, URL parameters) and server-side validation that rejects filenames containing HTML or script characters.
Additional security improvements in this version include requiring authenticated sessions for certain actions, scoping template lookups to prevent cross-user data access, and closing authentication gaps.
Until the upgrade can be performed, consider restricting access to the assessment file preview flows, monitoring for suspicious filenames, and educating users to avoid opening suspicious attachments.