CVE-2026-44667 Overview
CVE-2026-44667 is a stored cross-site scripting (XSS) vulnerability in FACTION, a penetration testing report generation and collaboration framework. The flaw affects all versions prior to 1.8.3. Attacker-controlled JavaScript embedded in attachment filenames executes when other users view remediation verification file preview flows. User-supplied filename values are persisted server-side and rendered into HTML and attribute contexts without output encoding. The issue is tracked as [CWE-79]. Because the payload is stored and rendered to other users, exploitation persists across sessions and can compromise privileged accounts. FACTION released version 1.8.3 to address the issue.
Critical Impact
Authenticated attackers can persist JavaScript that executes in privileged users' browsers, enabling session theft, account takeover, and tampering with penetration testing reports.
Affected Products
- FACTION PenTesting Report Generation and Collaboration Framework
- All versions prior to 1.8.3
- Remediation verification and file preview components
Discovery Timeline
- 2026-05-26 - CVE-2026-44667 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44667
Vulnerability Analysis
The vulnerability resides in the remediation verification file preview flows of FACTION. When a user uploads an attachment, the application stores the filename as supplied by the client. The stored filename is later embedded into HTML markup and HTML attribute contexts during preview rendering without applying context-appropriate output encoding. Any user who opens the affected verification or remediation view triggers script execution under the FACTION origin. Stored XSS in a collaboration tool used by penetration testers and clients means payloads can target high-value accounts that review submitted findings.
Root Cause
The root cause is missing output encoding on a persisted, attacker-influenced field. FACTION accepts arbitrary characters in attachment filenames and writes the raw value into server-rendered templates. Without HTML entity encoding for body context and attribute encoding for attribute context, characters such as <, >, ", and ' retain their structural meaning. This classifies the issue under [CWE-79] Improper Neutralization of Input During Web Page Generation.
Attack Vector
Exploitation requires an authenticated user with permission to upload attachments. The attacker crafts a filename that contains an XSS payload, then uploads it through the remediation verification workflow. The payload remains dormant until a second user, typically a reviewer or administrator, opens the verification or preview view. At that point the injected script executes in the victim's browser, with access to session cookies, CSRF tokens, and any actions the victim is authorized to perform inside FACTION.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-x3fm-rrxj-rg66 for vendor-provided technical detail.
Detection Methods for CVE-2026-44667
Indicators of Compromise
- Attachment records with filenames containing HTML or JavaScript syntax such as <script>, onerror=, onload=, or javascript:.
- Outbound browser requests from FACTION user sessions to unfamiliar domains shortly after opening remediation or verification views.
- Unexpected session activity or privilege changes on reviewer and administrator accounts that interacted with attachments.
Detection Strategies
- Query the FACTION database for stored filenames containing angle brackets, quotes, or event handler substrings and review matching uploads.
- Inspect web server access logs for POST requests to attachment upload endpoints with suspicious filename parameters in multipart bodies.
- Enable and review browser Content Security Policy (CSP) violation reports if a CSP is deployed in front of FACTION.
Monitoring Recommendations
- Audit which accounts have uploaded attachments since deployment and correlate against accounts viewing remediation views.
- Monitor authentication logs for session anomalies on privileged accounts following attachment views.
- Track upgrade status of FACTION instances against version 1.8.3 across the environment.
How to Mitigate CVE-2026-44667
Immediate Actions Required
- Upgrade FACTION to version 1.8.3 or later as documented in the GitHub Faction Release 1.8.3 notes.
- Review existing attachment records for malicious filenames and rename or remove any that contain script-like content.
- Force password rotation and session invalidation for privileged accounts that may have rendered affected previews.
Patch Information
FACTION version 1.8.3 fixes the issue by applying proper output encoding to attachment filenames in remediation verification and file preview rendering. Operators should pull the release from the official factionsecurity/faction GitHub repository and follow the project's standard upgrade procedure.
Workarounds
- Restrict attachment upload permissions to a minimal set of trusted users until the upgrade is applied.
- Deploy a strict Content Security Policy that disallows inline scripts on FACTION origins to limit payload execution.
- Avoid opening remediation verification or file preview views from untrusted submissions on vulnerable instances.
# Example: identify locally deployed FACTION versions before upgrading
git -C /opt/faction describe --tags
docker image ls | grep -i faction
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
