CVE-2025-66421 is an XSS vulnerability classified under CWE-79 affecting Tryton sao, an open-source web client for the Tryton ERP platform. The vulnerability exists because the application fails to properly escape or neutralize user-supplied input in completion values during dynamic web page generation. This improper input handling allows an attacker with at least limited privileges (PR:L) to inject malicious scripts that execute in the browsers of other users who view the affected pages. The vulnerability requires user interaction (UI:R), such as clicking a crafted link or interacting with a malicious input field, and can lead to partial compromise of confidentiality and integrity by stealing session tokens, performing actions on behalf of users, or exfiltrating sensitive data. The CVSS v3.1 base score is 5.4 (medium), reflecting network attack vector (AV:N), low attack complexity (AC:L), and limited privileges required. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. Availability is not impacted. The flaw affects multiple versions of Tryton sao before 7.6.11, with patches released in 7.6.11, 7.4.21, 7.0.40, and 6.0.69. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially ERP systems that handle sensitive business data.

For European organizations using Tryton sao, this vulnerability poses a risk of unauthorized script execution within user sessions, potentially leading to data leakage, session hijacking, or unauthorized actions performed on behalf of legitimate users. Given Tryton's use in managing enterprise resource planning, such attacks could expose sensitive financial, operational, or personal data. While the vulnerability does not affect system availability, the compromise of confidentiality and integrity can disrupt business operations and damage trust. Organizations in sectors such as finance, manufacturing, and public administration that rely on Tryton sao for critical workflows are particularly vulnerable. The requirement for user interaction and limited privileges reduces the risk somewhat but does not eliminate it, especially in environments with many users or where phishing and social engineering are common. The absence of known exploits in the wild suggests a window of opportunity for organizations to patch before active exploitation occurs.

European organizations should immediately verify their Tryton sao versions and upgrade to the patched releases: 7.6.11, 7.4.21, 7.0.40, or 6.0.69. If immediate patching is not feasible, implement web application firewalls (WAFs) with rules to detect and block typical XSS payloads targeting completion fields. Conduct user awareness training to reduce the risk of social engineering that could trigger user interaction with malicious content. Review and harden input validation and output encoding practices in any custom modules or integrations with Tryton sao. Monitor logs for unusual user activity or script injection attempts. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS attacks. Regularly audit and update all ERP components to maintain security hygiene. Coordinate with Tryton community and vendors for timely updates and security advisories.