Vendor
Tryton
Products
3
CVEs
11
Across products
11
Status
Private
Products
3- 6 CVEs
- 3 CVEs
- 2 CVEs
Recent CVEs
11| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-66421 | Med | 0.35 | 5.4 | 0.00 | Nov 30, 2025 | Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69. | |
| CVE-2025-66420 | Med | 0.35 | 5.4 | 0.00 | Nov 30, 2025 | Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67. | |
| CVE-2016-1242 | Med | 0.29 | 4.4 | 0.00 | Sep 7, 2016 | file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors. | |
| CVE-2015-0861 | Med | 0.28 | 4.3 | 0.00 | Apr 13, 2016 | model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records. | |
| CVE-2017-0360 | Med | 0.27 | 5.3 | 0.00 | Apr 4, 2017 | file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242. | |
| CVE-2025-66424 | 0.00 | — | 0.00 | Nov 30, 2025 | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | ||
| CVE-2025-66422 | 0.00 | — | 0.00 | Nov 30, 2025 | Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | ||
| CVE-2025-66423 | 0.00 | — | 0.00 | Nov 30, 2025 | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | ||
| CVE-2012-2238 | 0.00 | — | 0.00 | Nov 21, 2019 | trytond 2.4: ModelView.button fails to validate authorization | ||
| CVE-2013-4510 | 0.00 | — | 0.01 | Nov 18, 2013 | Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report. | ||
| CVE-2012-0215 | 0.00 | — | 0.01 | Jul 12, 2012 | model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call. |