PyPI package
tendenci
pkg:pypi/tendenci
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-70959 | — | <= 15.3.7 | — | Feb 2, 2026 | A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. | ||
| CVE-2020-36962 | — | < 12.3.2 | 12.3.2 | Jan 28, 2026 | Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary comma | ||
| CVE-2026-23946 | — | < 15.3.12 | 15.3.12 | Jan 22, 2026 | Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote C | ||
| CVE-2020-14942 | — | < 12.0.11 | 12.0.11 | Jun 21, 2020 | Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py. |
- CVE-2025-70959Feb 2, 2026affected <= 15.3.7
A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.
- CVE-2020-36962Jan 28, 2026affected < 12.3.2fixed 12.3.2
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary comma
- CVE-2026-23946Jan 22, 2026affected < 15.3.12fixed 15.3.12
Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote C
- CVE-2020-14942Jun 21, 2020affected < 12.0.11fixed 12.0.11
Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py.