VYPR
Moderate severityOSV Advisory· Published Jan 28, 2026· Updated Mar 5, 2026

Tendenci 12.3.1 - CSV/ Formula Injection

CVE-2020-36962

Description

Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tendenciPyPI
< 12.3.212.3.2

Affected products

3
  • Tendenci/TendenciOSV2 versions
    11.4.3, v11.0, v11.0.1, …+ 1 more
    • (no CPE)range: 11.4.3, v11.0, v11.0.1, …
    • (no CPE)range: =12.3.1
  • ghsa-coords
    Range: < 12.3.2

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.