Approved changes feed: RSS · Atom
cpe:2.3:a:owasp:faction:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Owasp (b778b703-6f88-5eeb-b966-330b456a6d00) |
|---|---|
| Product | Faction (d68f6722-759b-5d7d-88f5-908711a76680) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-66022 |
vulnerable | 2026-06-03 15:09:40.770942 |
FACTION Unauthenticated Custom Extension Upload leads to RCE
CRITICAL (9.7)
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.
Published: 2025-11-26T02:08:14.805Z
Updated: 2025-11-26T15:13:42.175Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.