CyberSec.Space Logo
Back to CVE Browser

CVE-2020-36962

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0850%
EPSS Percentile44.21th
PublishedJan 28, 2026
Last ModifiedFeb 2, 2026

Vulnerability Description

Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.

Affected Platforms (CPE)

πŸ“¦
Tendenci

Tendenci

= 12.3.1

References & Advisories

πŸ”— https://github.com/tendenci/tendenci
πŸ”— https://www.exploit-db.com/exploits/49145
πŸ”— https://www.tendenci.com/
πŸ”— https://www.vulncheck.com/advisories/tendenci-csv-formula-injection
πŸ”— https://www.exploit-db.com/exploits/49145

Related Vulnerabilities

CVE-2020-149429.8

Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py.

CVE-2009-32385.5

The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, whi...

CVE-2008-07934.3

Multiple cross-site scripting (XSS) vulnerabilities in search.asp in Tendenci CMS allow remote attackers to inject arbitrary web s...

CVE-2026-121917.8

A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdri...