CVE-2026-44669

HIGH EPSS 11.4%
Published May 26, 20261mo ago · Modified Jun 17, 20262w ago
8.7 CVSS 3.1
High
Find Similar
Published May 26, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who views the affected page. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3.

CVSS Details

Base Score
8.7
Exploitability
2.3
Impact
5.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
11.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

References 2

  • github.com https://github.com/factionsecurity/faction/releases/tag/1.8.3
  • github.com https://github.com/factionsecurity/faction/security/advisories/GHSA-f2jc-wx44-mr54

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.