VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 7, 2022· Updated Aug 3, 2024

CVE-2022-26661

CVE-2022-26661

Description

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An XXE vulnerability in Tryton Application Platform allows authenticated users to read arbitrary files via crafted XML SEPA files.

Vulnerability

An XML External Entity (XXE) issue exists in the Tryton Application Platform, affecting both the server (trytond) and the command-line client (proteus). The vulnerability is present in trytond versions 5.x through 5.0.45, 6.x through 6.0.15, and 6.2.x through 6.2.5, and in proteus versions 5.x through 5.0.11, 6.x through 6.0.4, and 6.2.x through 6.2.1 [1][2]. The bug resides in the parsing of XML SEPA (Single Euro Payments Area) files, where the XML parser does not disable external entity resolution, allowing an attacker to include external entities that reference local files.

Exploitation

An authenticated user can exploit this vulnerability by sending a crafted XML SEPA file to the server. The attack requires network access and low privileges (authenticated user), but no user interaction. The attacker does not need any special write access or race condition; the exploitation complexity is low [2]. The crafted XML file contains an external entity that points to a local file path, and when the server parses the file, it resolves the entity and includes the file content in the response or error message.

Impact

Successful exploitation leads to arbitrary file read on the server. The attacker can access any file that the server process has read permissions for, potentially including configuration files, credentials, or sensitive data. The CVSS v3.0 base score is 6.5, with high confidentiality impact, no integrity impact, and no availability impact [2]. The scope remains unchanged, meaning the attacker does not gain control over other system components.

Mitigation

The vendor has released fixed versions: trytond 6.2.6, 6.0.16, and 5.0.46; proteus 6.2.2, 6.0.5, and 5.0.12 [2]. All affected users should upgrade to these versions or later. As a workaround, administrators can activate defusedxml, define default lxml parsers that do not resolve entities, and upgrade expat to version 2.4.1 or newer [2]. No workaround is available for the command-line client beyond upgrading. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. NVD - CVE-2022-26661
  2. Security Release for issue11219 and issue11244

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
trytondPyPI
>= 5.0.0, < 5.0.465.0.46
trytondPyPI
>= 6.0.0, < 6.0.166.0.16
trytondPyPI
>= 6.1.0, < 6.2.66.2.6
proteusPyPI
>= 5.0.0, < 5.0.125.0.12
proteusPyPI
>= 6.0.0, < 6.0.56.0.5
proteusPyPI
>= 6.1.0, < 6.2.26.2.2

Affected products

3
  • Tryton/Application Platformdescription
  • ghsa-coords2 versions
    pkg:pypi/proteuspkg:pypi/trytond
    >= 5.0.0, < 5.0.12+ 1 more
    • (no CPE)range: >= 5.0.0, < 5.0.12
    • (no CPE)range: >= 5.0.0, < 5.0.46

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

0

No linked articles in our index yet.