HIGH 7.1
PYSEC-2026-1991
trytond does not enforce access rights for the route of the HTML editor.
Details
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-66423 [ADVISORY]
- https://discuss.tryton.org/t/security-release-for-issue-14364/8952 [WEB]
- https://foss.heptapod.net/tryton/tryton/-/issues/14364 [WEB]
- https://github.com/tryton/trytond [PACKAGE]
- https://pypi.org/project/trytond [PACKAGE]
- https://github.com/advisories/GHSA-p3p5-xrmv-4j6x [ADVISORY]