CVE-2026-44669 factionsecurity CVE debrief

Who should care

Organizations using FACTION for penetration testing report generation and collaboration, particularly those with multi-user environments where assessment files are shared across team members or with clients. Security teams responsible for application security testing platforms and developers maintaining FACTION deployments.

Technical summary

The vulnerability stems from insufficient output encoding when rendering user-controlled attachment filenames in assessment file preview interfaces. Attackers can craft filenames containing JavaScript payloads that execute when other users view the preview page. The stored nature of the flaw means a single malicious upload can compromise multiple subsequent viewers, including administrators or other high-privilege users. The fix in version 1.8.3 implements proper encoding of filename values in HTML and attribute contexts.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade FACTION to version 1.8.3 or later to remediate the stored XSS vulnerability
• Review assessment file attachments and preview logs for suspicious filename patterns that may indicate prior exploitation attempts
• Implement Content Security Policy (CSP) headers and output encoding defenses as defense-in-depth measures for file preview functionality
• Audit user accounts with access to assessment file previews for anomalous activity, particularly privileged accounts
• Validate and sanitize all user-supplied filename inputs at both client and server boundaries before persistence and rendering

Evidence notes

Vulnerability description and fix version confirmed via GitHub Security Advisory GHSA-f2jc-wx44-mr54 and release notes. CVSS vector and CWE classification sourced from NVD record. No evidence of active exploitation or CISA KEV inclusion at time of disclosure.

Official resources