CVE-2025-66423 — trytond does not enforce access rights for the route of the HTML editor.

Description

Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

How to fix CVE-2025-66423

To remediate CVE-2025-66423, upgrade the affected package to a fixed version below.

Debian/tryton-server—upgrade to 6.0.29-2+deb12u4 or later
—upgrade to 7.6.11 or later

Is CVE-2025-66423 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 6.0.29-2+deb12u4
>= 7.5.0, < 7.6.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-66423
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-66423
PATCHgithub.com/tryton/trytond
WEBdiscuss.tryton.org/t/security-release-for-issue-14364/8952
WEB