What is CVE-2025-66022?

CVE-2025-66022 is a critical-severity vulnerability in Factionsecurity Faction, classified under Inclusion of Functionality from Untrusted Control Sphere. CVSS score: 9.7/10. Published 2025-11-26.

How severe is CVE-2025-66022?

Critical severity. CVSS v3 base score is 9.7 out of 10.

Is CVE-2025-66022 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Factionsecurity Faction

CVE-2025-66022

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server…

EPSS: 0.008 (74.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.7 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Affected products

Factionsecurity Faction — versions < 1.7.1

Weakness classification (CWE)

Public proof-of-concept exploits

wasfyelbaz/CVE-2025-66022

References

https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w (x_refsource_CONFIRM)
https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b389311b16c62c3 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-66022?: CVE-2025-66022 is a critical-severity vulnerability in Factionsecurity Faction, classified under Inclusion of Functionality from Untrusted Control Sphere. CVSS score: 9.7/10. Published 2025-11-26.
How severe is CVE-2025-66022?: Critical severity. CVSS v3 base score is 9.7 out of 10.
Is CVE-2025-66022 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.