Stored Cross-Site Scripting Vulnerability in FACTION PenTesting Framework
CVE-2026-44667

8.7HIGH

Key Information:

Vendor: Factionsecurity
Status: Faction
Vendor: CVE Published:; 26 May 2026

🔔 Create Factionsecurity Vulnerability Alert

What is CVE-2026-44667?

FACTION is a robust PenTesting Report Generation and Collaboration Framework. Before version 1.8.3, it was susceptible to stored cross-site scripting (XSS) vulnerabilities via the manipulation of attachment filenames during remediation verification file previews. The vulnerability arises because user-supplied filename values are stored and later rendered into HTML without proper encoding, which allows an attacker to inject JavaScript that executes in the browsers of users accessing affected remediation views. This flaw can have serious implications, especially for privileged accounts, as the malicious payload is stored server-side, leading to persistent exploitation. The issue has been addressed in version 1.8.3.

Affected Version(s)

faction < 1.8.3

References

https://github.com/factionsecurity/faction/security/advis...

x_refsource_CONFIRM

https://github.com/factionsecurity/faction/releases/tag/1...

x_refsource_MISC

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44667 Data

JSON