CVE-2025-66423

HIGH7.1EPSS 0.04%

trytond does not enforce access rights for the route of the HTML editor.

Published: 11/30/2025Modified: 4/28/2026

Description

Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

Affected packages (2)

Debian/tryton-serverfrom 0, < 6.0.29-2+deb12u4
PyPI/trytond>= 7.5.0, < 7.6.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-66423
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-66423
PATCHhttps://github.com/tryton/trytond
WEBhttps://discuss.tryton.org/t/security-release-for-issue-14364/8952
WEBhttps://foss.heptapod.net/tryton/tryton/-/issues/14364