Executive Summary

CVE-2026-44669 is a stored cross-site scripting (XSS) vulnerability in the Faction application, specifically affecting versions 1.7.7 and earlier.

The issue arises from improper handling of user-supplied attachment filenames in assessment file preview flows, where filenames are stored without validation or encoding and later rendered in HTML/attribute contexts.

This allows attackers to inject malicious JavaScript payloads that execute when other users view the affected page, making the vulnerability persistent and potentially impacting privileged accounts.

Attackers exploit this by uploading a file with a crafted filename containing JavaScript code, which executes when the filename is rendered in the preview component.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be abused to perform unauthorized actions on behalf of the victim user, such as administrative operations, data theft, or platform configuration changes.

Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts, potentially leading to full administrative takeover.

The severity is rated as High (CVSS score 8.7) due to the potential for confidentiality and integrity loss.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying files uploaded to the Faction application with attachment filenames containing suspicious or malicious JavaScript code. Since the issue arises from stored cross-site scripting via attachment filenames in assessment file preview flows, monitoring or searching for filenames with HTML or script characters is key.

One approach is to query the database or application logs for filenames containing script tags or other suspicious payloads. Additionally, inspecting the assessment file preview pages for unexpected script execution can help detect exploitation.

Specific commands depend on your environment, but examples include:

• Using grep or similar tools to search for suspicious filenames in logs or database exports, e.g., `grep -iE '<script|javascript:' /path/to/logs`
• Querying the database for filenames containing HTML or script characters, e.g., `SELECT filename FROM attachments WHERE filename LIKE '%<script%' OR filename LIKE '%javascript:%';`
• Using browser developer tools or automated scanners to inspect the assessment file preview pages for injected scripts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Faction application to version 1.8.3 or later, where this vulnerability is fixed.

Version 1.8.3 includes proper escaping of filenames in upload responses based on context (HTML, JSON, URL parameters) and server-side validation that rejects filenames containing HTML or script characters.

Additional security improvements in this version include requiring authenticated sessions for certain actions, scoping template lookups to prevent cross-user data access, and closing authentication gaps.

Until the upgrade can be performed, consider restricting access to the assessment file preview flows, monitoring for suspicious filenames, and educating users to avoid opening suspicious attachments.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attacker-controlled JavaScript to execute in the browser of any user who views the affected page, potentially leading to unauthorized actions such as administrative operations and data theft. This can result in confidentiality and integrity loss of sensitive data.

Because the vulnerability can impact privileged accounts and enable persistent cross-site scripting attacks, it poses risks to the protection of personal and sensitive information, which is a core requirement in standards like GDPR and HIPAA.

Exploitation of this vulnerability could lead to non-compliance with these regulations due to unauthorized access, data breaches, and failure to maintain adequate security controls over sensitive data.

Useful 0 Not Useful 0