tryton CVE Vulnerabilities & Metrics

Focus on tryton vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About tryton Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with tryton. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total tryton CVEs: 10
Earliest CVE date: 12 Jul 2012, 20:55 UTC
Latest CVE date: 10 Mar 2022, 17:47 UTC

Latest CVE reference: CVE-2022-26662

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical tryton CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.97

Max CVSS: 9.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	8
7.0-8.9	1
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS tryton CVEs

These are the five CVEs with the highest CVSS scores for tryton, sorted by severity first and recency.

CVE-2014-6633 tryton Published on 12 Apr 2018, 15:29 UTC (CVSS: 9.0)
The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module.
CVE-2013-4510 tryton Published on 18 Nov 2013, 02:55 UTC (CVSS: 7.8)
Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report.
CVE-2012-0215 tryton Published on 12 Jul 2012, 20:55 UTC (CVSS: 5.5)
model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.
CVE-2022-26662 tryton Published on 10 Mar 2022, 17:47 UTC (CVSS: 5.0)
An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of th...
CVE-2012-2238 tryton Published on 21 Nov 2019, 14:15 UTC (CVSS: 5.0)
trytond 2.4: ModelView.button fails to validate authorization

All CVEs for tryton

CVE-2022-26662 tryton vulnerability CVSS: 5.0 10 Mar 2022, 17:47 UTC

An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An unauthenticated user can send a crafted XML-RPC message to consume all the resources of the server.

CVE-2022-26661 tryton vulnerability CVSS: 4.0 10 Mar 2022, 17:47 UTC

An XXE issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user can make the server parse a crafted XML SEPA file to access arbitrary files on the system.

CVE-2012-2238 tryton vulnerability CVSS: 5.0 21 Nov 2019, 14:15 UTC

trytond 2.4: ModelView.button fails to validate authorization

CVE-2019-10868 tryton vulnerability CVSS: 4.0 05 Apr 2019, 01:29 UTC

In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

CVE-2018-19443 tryton vulnerability CVSS: 4.3 22 Nov 2018, 19:29 UTC

The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.

CVE-2014-6633 tryton vulnerability CVSS: 9.0 12 Apr 2018, 15:29 UTC

The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module.

CVE-2017-0360 tryton vulnerability CVSS: 3.5 04 Apr 2017, 17:59 UTC

file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242.

CVE-2016-1242 tryton vulnerability CVSS: 4.0 07 Sep 2016, 19:28 UTC

file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.

CVE-2016-1241 tryton vulnerability CVSS: 3.5 07 Sep 2016, 19:28 UTC

Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.

CVE-2015-0861 tryton vulnerability CVSS: 4.0 13 Apr 2016, 15:59 UTC

model/modelstorage.py in trytond 3.2.x before 3.2.10, 3.4.x before 3.4.8, 3.6.x before 3.6.5, and 3.8.x before 3.8.1 allows remote authenticated users to bypass intended access restrictions and write to arbitrary fields via a sequence of records.

CVE-2013-4510 tryton vulnerability CVSS: 7.8 18 Nov 2013, 02:55 UTC

Directory traversal vulnerability in the client in Tryton 3.0.0, as distributed before 20131104 and earlier, allows remote servers to write arbitrary files via path separators in the extension of a report.

CVE-2012-0215 tryton vulnerability CVSS: 5.5 12 Jul 2012, 20:55 UTC

model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.