Tryton

By the Year

In 2026 there have been 1 vulnerability in Tryton with an average score of 6.4 out of ten. Last year, in 2025 Tryton had 5 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.66.

Recent Tryton Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2020-37014	Jan 30, 2026	Persistent XSS in Tryton 5.4 via User Profile Name Input Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces.	Trytond
CVE-2025-66420	Nov 30, 2025	Tryton sao XSS via HTML attachment (before 7.6.9) Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67.
CVE-2025-66421	Nov 30, 2025	Tryton sao XSS unescaped completions before v7.6.11 Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69.
CVE-2025-66422	Nov 30, 2025	Tryton trytond RCE: Exposes trace-back (before 7.6.11) Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.	Trytond
CVE-2025-66423	Nov 30, 2025	Tryton trytond <7.6.11 Access Rights Bypass via HTML Editor Route Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.	Trytond
CVE-2025-66424	Nov 30, 2025	Tryton trytond before 7.6.11 Data Export Access Control Bypass Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.	Trytond
CVE-2022-26662	Mar 10, 2022	An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45 An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.	Proteus Trytond
CVE-2022-26661	Mar 10, 2022	An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45 An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.	Proteus Trytond
CVE-2018-19443	Nov 22, 2018	The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.	Tryton