CVE-2026-44667 factionsecurity CVE debrief

Who should care

Organizations using FACTION for penetration testing report generation and collaboration should prioritize patching. Security teams, penetration testers, and administrators who handle remediation verification workflows are at direct risk of session compromise and privilege escalation through this stored XSS vector.

Technical summary

The vulnerability exists in FACTION's handling of attachment filenames during remediation verification file preview flows. Filenames are stored without sanitization and later rendered directly into HTML and HTML attribute contexts. The lack of output encoding allows injection of JavaScript payloads that execute when any user—including administrators—views the affected verification or remediation interface. This is a stored XSS variant with network attack vector, low attack complexity, low privileges required, and user interaction required, with changed scope and high impact to confidentiality and integrity.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade FACTION to version 1.8.3 or later to remediate this vulnerability
• Review and sanitize all user-supplied filename inputs in file upload and preview workflows
• Implement context-appropriate output encoding for filenames rendered in HTML and attribute contexts
• Audit existing stored filenames for potential malicious payloads if prior versions were deployed
• Consider Content Security Policy (CSP) headers to mitigate impact of any residual XSS vectors

Evidence notes

The vulnerability description and fix version are sourced from official GitHub Security Advisory GHSA-x3fm-rrxj-rg66 and the corresponding release tag 1.8.3. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N yields a base score of 8.7 (HIGH). CWE-79 (Improper Neutralization of Input During Web Page Generation) is identified as the primary weakness.

Official resources