CVE-2026-44669 Overview
CVE-2026-44669 is a stored cross-site scripting (XSS) vulnerability in FACTION, an open-source penetration testing report generation and collaboration framework. The flaw affects all versions prior to 1.8.3 and resides in the assessment file preview workflow. User-supplied attachment filenames are persisted to the backend and later rendered into HTML and attribute contexts without output encoding. An authenticated attacker can craft a filename containing JavaScript, which executes in the browser of every user who later views the affected page. The issue is tracked under [CWE-79] and resolved in FACTION 1.8.3.
Critical Impact
Persistent JavaScript execution in privileged user sessions can lead to account takeover, theft of assessment data, and lateral movement within the collaboration platform.
Affected Products
- FACTION versions prior to 1.8.3
- FACTION assessment file preview component
- FACTION attachment handling subsystem
Discovery Timeline
- 2026-05-26 - CVE-2026-44669 published to the National Vulnerability Database (NVD)
- 2026-05-26 - Last updated in NVD database
- Fixed Release - FACTION 1.8.3 released with patch (see GitHub Faction Release 1.8.3)
Technical Details for CVE-2026-44669
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw in FACTION's file preview functionality. When a user uploads an attachment to an assessment, the application stores the filename verbatim in the database. When the attachment is later listed or previewed, the filename is interpolated directly into the rendered HTML page and attribute values. Because the application omits HTML entity encoding and attribute encoding, embedded <script> tags or event handler payloads execute in the victim's browser session.
Exploitation requires only low-privileged authenticated access to upload an attachment. User interaction is required from the victim, who must view the affected assessment page. The scope change in the impact reflects the ability of the injected script to act across security boundaries inside the application, including privileged administrator sessions.
Root Cause
The root cause is missing output encoding on a user-controlled persisted field. FACTION trusts attachment filename strings as safe rendering input. The template responsible for the file preview view writes the filename into both element text and HTML attributes without contextual escaping, violating standard OWASP XSS prevention guidance.
Attack Vector
An authenticated attacker uploads a file whose name contains an XSS payload, for example a filename that includes an onerror handler or inline script tags. The malicious filename is stored server-side. When any collaborator, including assessment reviewers or administrators, opens the assessment file preview page, the payload renders inline and executes JavaScript in their authenticated browser context. The attacker can then exfiltrate session tokens, modify report contents, or pivot to other tenants.
No verified exploit code is publicly available. For technical specifics, refer to GitHub Security Advisory GHSA-f2jc-wx44-mr54.
Detection Methods for CVE-2026-44669
Indicators of Compromise
- Attachment filenames stored in the FACTION database containing HTML tags such as <script, <img, <svg, or onerror= substrings.
- Web server access logs showing file upload requests with suspicious Content-Disposition filename parameters.
- Outbound browser requests from FACTION user sessions to unfamiliar domains shortly after viewing assessment pages.
- Unexpected session token reuse from new IP addresses or user agents tied to FACTION accounts.
Detection Strategies
- Query the FACTION attachments table for filename values containing angle brackets, quotes, or JavaScript event handler keywords.
- Inspect application logs for file uploads where filename length or character set deviates from normal document naming conventions.
- Deploy a Content Security Policy (CSP) in report mode to surface inline script violations originating from assessment pages.
Monitoring Recommendations
- Alert on POST requests to FACTION attachment upload endpoints containing HTML metacharacters in the filename field.
- Monitor administrative account activity for anomalous actions immediately after viewing attachments uploaded by lower-privileged users.
- Forward FACTION web and application logs to a centralized analytics platform and retain them for retrospective hunting.
How to Mitigate CVE-2026-44669
Immediate Actions Required
- Upgrade FACTION to version 1.8.3 or later without delay using the official GitHub Faction Release 1.8.3.
- Audit existing attachment filenames in the database and sanitize or quarantine any entries containing HTML or script syntax.
- Force a password and session reset for privileged FACTION accounts that may have viewed attacker-supplied attachments.
Patch Information
FACTION 1.8.3 introduces proper output encoding for filename rendering in assessment file preview flows. Review the fix details in the GitHub Security Advisory GHSA-f2jc-wx44-mr54 and apply the release referenced above.
Workarounds
- Restrict attachment upload permissions to a small set of trusted users until the upgrade is complete.
- Enforce a strict Content Security Policy that blocks inline script execution on FACTION application pages.
- Apply a web application firewall rule to reject multipart upload requests whose filename field contains <, >, or " characters.
# Example upgrade workflow for self-hosted FACTION deployments
git fetch --tags
git checkout 1.8.3
docker compose down
docker compose build --no-cache
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
