Stored Cross-Site Scripting Vulnerability in FACTION PenTesting Framework
CVE-2026-44669

8.7HIGH

Key Information:

Vendor: Factionsecurity
Status: Faction
Vendor: CVE Published:; 26 May 2026

🔔 Create Factionsecurity Vulnerability Alert

What is CVE-2026-44669?

FACTION, a PenTesting Report Generation and Collaboration Framework, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability. This issue arises from unencoded user-supplied filename values in assessment file previews, which are stored and later rendered into HTML contexts. This flaw allows attackers to execute malicious JavaScript in the browsers of users who access the affected page, thereby impacting all users, including those with privileged accounts. The issue has been rectified in version 1.8.3.

Affected Version(s)

faction < 1.8.3

References

https://github.com/factionsecurity/faction/security/advis...

x_refsource_CONFIRM

https://github.com/factionsecurity/faction/releases/tag/1...

x_refsource_MISC

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44669 Data

JSON