Trytond
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Trytond.
By the Year
In 2026 there have been 1 vulnerability in Trytond with an average score of 6.4 out of ten. Last year, in 2025 Trytond had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Trytond in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.43.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 6.40 |
| 2025 | 3 | 5.97 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 2 | 7.00 |
It may take a day or so for new Trytond vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Trytond Security Vulnerabilities
Persistent XSS in Tryton 5.4 via User Profile Name Input
CVE-2020-37014
6.4 - Medium
- January 30, 2026
Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces.
XSS
Tryton trytond RCE: Exposes trace-back (before 7.6.11)
CVE-2025-66422
4.3 - Medium
- November 30, 2025
Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
Resource Leak
Tryton trytond <7.6.11 Access Rights Bypass via HTML Editor Route
CVE-2025-66423
7.1 - High
- November 30, 2025
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
AuthZ
Tryton trytond before 7.6.11 Data Export Access Control Bypass
CVE-2025-66424
6.5 - Medium
- November 30, 2025
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
AuthZ
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45
CVE-2022-26662
7.5 - High
- March 10, 2022
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.
XEE
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45
CVE-2022-26661
6.5 - Medium
- March 10, 2022
An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.
XXE
