CVE-2022-26662
Description
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XML Entity Expansion (XEE) vulnerability in Tryton Application Platform allows unauthenticated attackers to cause denial of service via crafted XML-RPC messages.
Vulnerability
An XML Entity Expansion (XEE) issue, also known as an XML bomb, exists in the Tryton Application Platform. The vulnerability affects the server component (trytond) versions 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, as well as the command-line client (proteus) versions 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1 [1][2]. The flaw resides in the XML-RPC message parsing, where entity expansion is not properly limited.
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a single crafted XML-RPC message containing deeply nested or exponentially expanding entity references. No authentication or prior access is required. The message is processed by the server, causing the XML parser to expand entities recursively, which rapidly consumes CPU and memory resources [2].
Impact
Successful exploitation leads to a denial of service (DoS) condition, where the server becomes unresponsive or crashes due to resource exhaustion. The CVSS v3.0 base score for this issue is 7.5 (High), with attack vector network, low complexity, no privileges required, no user interaction, and high availability impact. There is no impact on confidentiality or integrity [2].
Mitigation
Fixed versions are available: for trytond upgrade to 6.2.6, 6.0.16, or 5.0.46 or later; for proteus upgrade to 6.2.2, 6.0.5, or 5.0.12 or later [2]. As a workaround, administrators can activate defusedxml, configure default lxml parsers to not resolve entities, and upgrade the expat library to version 2.4.1 or newer [2]. No other workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
trytondPyPI | >= 5.0.0, < 5.0.46 | 5.0.46 |
trytondPyPI | >= 6.0.0, < 6.0.16 | 6.0.16 |
trytondPyPI | >= 6.1.0, < 6.2.6 | 6.2.6 |
proteusPyPI | >= 5.0.0, < 5.0.12 | 5.0.12 |
proteusPyPI | >= 6.0.0, < 6.0.5 | 6.0.5 |
proteusPyPI | >= 6.1.0, < 6.2.2 | 6.2.2 |
Affected products
3- Tryton/Application Platformdescription
- ghsa-coords2 versions
>= 5.0.0, < 5.0.12+ 1 more
- (no CPE)range: >= 5.0.0, < 5.0.12
- (no CPE)range: >= 5.0.0, < 5.0.46
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-pm3h-mm62-pwm8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-26662ghsaADVISORY
- www.debian.org/security/2022/dsa-5098ghsavendor-advisoryx_refsource_DEBIANWEB
- www.debian.org/security/2022/dsa-5099ghsavendor-advisoryx_refsource_DEBIANWEB
- bugs.tryton.org/issue11244ghsax_refsource_MISCWEB
- discuss.tryton.org/t/security-release-for-issue11219-and-issue11244/5059ghsax_refsource_MISCWEB
- hg.tryton.org/trytondghsaPACKAGE
- lists.debian.org/debian-lts-announce/2022/03/msg00016.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2022/03/msg00017.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.