Tryton
Products
6- Trytond12 CVEspypi
- 2 CVEs
- 1 CVE
- 0 CVEs
- 0 CVEs
- 0 CVEs
Recent CVEs
15| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-37014 | Med | 0.42 | 6.4 | 0.00 | Jan 30, 2026 | Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and… | ||
| CVE-2024-9774 | Med | 0.42 | 6.5 | 0.01 | Dec 27, 2024 | A vulnerability was found in python-sql where unary operators do not escape non-Expression. | ||
| CVE-2025-66421 | Med | 0.35 | 5.4 | 0.00 | Nov 30, 2025 | Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69. | ||
| CVE-2025-66420 | Med | 0.35 | 5.4 | 0.00 | Nov 30, 2025 | Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67. | ||
| CVE-2016-1242 | Med | 0.29 | 4.4 | 0.02 | Sep 7, 2016 | file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors. | ||
| CVE-2017-0360 | Med | 0.28 | 5.3 | 0.02 | Apr 4, 2017 | file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242. | ||
| CVE-2016-1241 | Med | 0.28 | 5.3 | 0.02 | Sep 7, 2016 | Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors. | ||
| CVE-2015-0861 | Med | 0.21 | 4.3 | 0.01 | Apr 13, 2016 | model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records. | ||
| CVE-2025-66422 | 0.00 | — | 0.00 | Nov 30, 2025 | Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | |||
| CVE-2025-66423 | 0.00 | — | 0.00 | Nov 30, 2025 | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | |||
| CVE-2025-66424 | 0.00 | — | 0.00 | Nov 30, 2025 | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | |||
| CVE-2012-2238 | 0.00 | — | 0.02 | Nov 21, 2019 | trytond 2.4: ModelView.button fails to validate authorization | |||
| CVE-2019-10868 | 0.00 | — | 0.01 | Apr 5, 2019 | In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. | |||
| CVE-2013-4510 | 0.00 | — | 0.02 | Nov 18, 2013 | Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report. | |||
| CVE-2012-0215 | 0.00 | — | 0.02 | Jul 12, 2012 | model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2)… |
- risk 0.42cvss 6.4epss 0.00
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and…
- risk 0.42cvss 6.5epss 0.01
A vulnerability was found in python-sql where unary operators do not escape non-Expression.
- risk 0.35cvss 5.4epss 0.00
Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69.
- risk 0.35cvss 5.4epss 0.00
Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67.
- risk 0.29cvss 4.4epss 0.02
file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.
- risk 0.28cvss 5.3epss 0.02
file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242.
- risk 0.28cvss 5.3epss 0.02
Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.
- risk 0.21cvss 4.3epss 0.01
model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records.
- CVE-2025-66422Nov 30, 2025risk 0.00cvss —epss 0.00
Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
- CVE-2025-66423Nov 30, 2025risk 0.00cvss —epss 0.00
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
- CVE-2025-66424Nov 30, 2025risk 0.00cvss —epss 0.00
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
- CVE-2012-2238Nov 21, 2019risk 0.00cvss —epss 0.02
trytond 2.4: ModelView.button fails to validate authorization
- CVE-2019-10868Apr 5, 2019risk 0.00cvss —epss 0.01
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.
- CVE-2013-4510Nov 18, 2013risk 0.00cvss —epss 0.02
Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report.
- CVE-2012-0215Jul 12, 2012risk 0.00cvss —epss 0.02
model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2)…