Security
Headlines

Headlines Latest CVEs

Headline

GHSA-6qj9-2g9m-29x9: Tryton sao allows XSS because it does not escape completion values

Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69.

2 days ago

#xss #nodejs #git #intel

Skip to content

Navigation Menu

- AI CODE CREATION
  - GitHub CopilotWrite better code with AI
  - GitHub SparkBuild and deploy intelligent apps
  - GitHub ModelsManage and compare prompts
  - MCP RegistryNewIntegrate external tools

View all features

Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

GitHub Advisory Database
GitHub Reviewed
CVE-2025-66421

Tryton sao allows XSS because it does not escape completion values

Moderate severity GitHub Reviewed Published Nov 30, 2025 to the GitHub Advisory Database • Updated Dec 2, 2025

Package

npm tryton-sao (npm)

Affected versions

>= 7.5.0, < 7.6.11

>= 7.1.0, < 7.4.21

>= 7.0.0, < 7.0.40

< 6.0.69

Patched versions

7.6.11

7.4.21

7.0.40

6.0.69

Description

Published to the GitHub Advisory Database

Nov 30, 2025

ghsa: Latest News

GHSA-69jw-4jj8-fcxm: gokey allows secret recovery from a seed file without the master password

58 minutes ago

GHSA-g2jx-37x6-6438: arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

58 minutes ago

GHSA-8fr4-5q9j-m8gm: vLLM vulnerable to remote code execution via transformers_utils/get_config

1 hour ago

GHSA-9h52-p55h-vw2f: Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default

2 hours ago

GHSA-w48q-cv73-mx4w: Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

2 hours ago