CVE-2025-66022

26.11.2025, 03:15

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Factions extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.6 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
GitHub_M	CNA	9.7 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 66%

Vendor	Product	Version
owasp	faction	𝑥 < 1.7.1

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

References

https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b389311b16c62c3

https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w