CVE-2026-44667 HIGH

CVE-2026-44667: Faction: Stored XSS in Remediation Verification Attachment Filename Preview Rendering

Vendor Factionsecurity
Product faction
Weakness CWE-79 · XSS
Published May 26, 2026
Last update May 27, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 27, 2026 Record updated