CVE-2025-66420
MEDIUMTryton sao < 7.6.9 - Cross-Site Scripting via HTML Attachment
Title source: llmDescription
Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67.
References (2)
Core 2
Core References
Issue Tracking
https://foss.heptapod.net/tryton/tryton/-/issues/14290
Scores
CVSS v3
5.4
EPSS
0.0002
EPSS Percentile
6.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (5)
npm/tryton-sao
7.5.0 - 7.6.9npm
Tryton/sao
< 6.0.67
Tryton/sao
7.0.0 - 7.0.38
Tryton/sao
7.1.0 - 7.4.19
Tryton/sao
7.5.0 - 7.6.9
Published
Nov 30, 2025
Tracked Since
Feb 18, 2026