This page lists publicly disclosed CVE vulnerabilities affecting tryton trytond (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-66424 | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | [email protected] | 6.5 | 0.20% | 2025-11-30 | 2025-12-04 |
| CVE-2025-66423 | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | [email protected] | 7.1 | 0.19% | 2025-11-30 | 2025-12-04 |
| CVE-2025-66422 | Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | [email protected] | 4.3 | 0.25% | 2025-11-30 | 2025-12-04 |
| CVE-2022-26662 | An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server. | [email protected] | 7.5 | 1.88% | 2022-03-10 | 2024-11-21 |
| CVE-2022-26661 | An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system. | [email protected] | 6.5 | 1.37% | 2022-03-10 | 2024-11-21 |
| CVE-2012-2238 | trytond 2.4: ModelView.button fails to validate authorization | [email protected] | 7.5 | 1.76% | 2019-11-21 | 2024-11-21 |
| CVE-2019-10868 | In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. | [email protected] | 6.5 | 1.28% | 2019-04-05 | 2024-11-21 |
| CVE-2015-0861 | model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records. | [email protected] | 4.3 | 1.15% | 2016-04-13 | 2026-05-06 |
| CVE-2012-0215 | model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call. | [email protected] | 5.5 | 1.97% | 2012-07-12 | 2026-04-29 |