GHSA-4q3w-jgfx-4792
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4q3w-jgfx-4792
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-4q3w-jgfx-4792/GHSA-4q3w-jgfx-4792.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4q3w-jgfx-4792
- Aliases
- Published
- 2026-01-28T18:30:48Z
- Modified
- 2026-06-09T21:11:13.581282495Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Tendenci is Vulnerable to CSV Formula Injection through its Contact Form Message Field
- Details
-
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.
- Database specific
{ "nvd_published_at": "2026-01-28T18:16:46Z", "github_reviewed_at": "2026-06-09T20:50:33Z", "github_reviewed": true, "severity": "MODERATE", "cwe_ids": [ "CWE-1236" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-36962
- https://github.com/tendenci/tendenci/commit/3e37622cac81440c5a1f97c39f112a2cf4a5450c
- https://github.com/pypa/advisory-database/tree/main/vulns/tendenci/PYSEC-2026-136.yaml
- https://github.com/tendenci/tendenci
- https://www.exploit-db.com/exploits/49145
- https://www.tendenci.com
- https://www.vulncheck.com/advisories/tendenci-csv-formula-injection
Affected packages
PyPI / tendenci
Package
- Name
- tendenci
- View open source insights on deps.dev
- Purl
- pkg:pypi/tendenci
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed12.3.2
Affected versions
5.*
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12
5.1.14
5.1.15
5.1.16
5.1.18
5.1.19
5.1.21
5.1.22
5.1.23
5.1.24
5.1.25
5.1.26
5.1.27
5.1.28
5.1.29
5.1.30
5.1.31
5.1.32
5.1.33
5.1.34
5.1.35
5.1.36
5.1.37
5.1.38
5.1.39
5.1.40
5.1.41
5.1.42
5.1.43
5.1.45
5.1.46
5.1.47
5.1.48
5.1.49
5.1.50
5.1.51
5.1.52
5.1.53
5.1.54
5.1.55
5.1.56
5.1.57
5.1.58
5.1.59
5.1.60
5.1.61
5.1.62
5.1.63
5.1.64
5.1.65
5.1.66
5.1.67
5.1.68
5.1.69
5.1.70
5.1.71
5.1.72
5.1.73
5.1.74
5.1.75
5.1.76
5.1.77
5.1.78
5.1.79
5.1.80
5.1.81
5.1.83
5.1.84
5.1.85
5.1.86
5.1.87
5.1.88
5.1.89
5.1.90
5.1.91
5.1.92
5.1.93
5.1.94
5.1.95
5.1.96
5.1.97
5.1.98
5.1.99
5.1.100
5.1.101
5.1.102
5.1.103
5.1.104
5.1.105
5.1.106
5.1.107
5.1.108
5.1.109
5.1.110
5.1.111
5.1.112
5.1.113
5.1.114
5.1.115
5.1.116
5.1.117
5.1.118
5.1.119
5.1.120
5.1.121
5.1.122
5.1.123
5.1.124
5.1.125
5.1.126
5.1.127
5.1.128
5.1.129
5.1.130
5.1.131
5.1.132
5.1.133
5.1.134
5.1.135
5.1.136
5.1.137
5.1.138
5.1.139
5.1.141
5.1.142
5.1.143
5.1.145
5.1.146
5.1.147
5.1.148
5.1.149
5.1.150
5.1.151
5.1.154
5.1.155
5.1.156
5.1.157
5.1.158
5.1.159
5.1.160
5.1.161
5.1.162
5.1.163
5.1.164
5.1.165
5.1.166
5.1.168
5.1.169
5.1.170
5.1.171
5.1.172
5.1.173
5.1.174
5.1.175
5.1.177
5.1.178
5.1.179
5.1.180
5.1.181
5.1.182
5.1.183
5.1.184
5.1.185
5.1.186
5.1.187
5.1.188
5.1.189
5.1.190
5.1.191
5.1.192
5.1.193
5.1.194
5.1.195
5.1.196
5.1.197
5.1.198
5.1.199
5.1.200
5.1.201
5.1.202
5.1.203
5.1.204
5.1.205
5.1.206
5.1.207
5.1.208
5.1.209
5.1.210
5.1.211
5.1.212
5.1.214
5.1.215
5.1.216
5.1.217
5.1.218
5.1.219
5.1.220
5.1.221
5.1.223
5.1.224
5.1.225
5.1.226
5.1.227
5.1.228
5.1.229
5.1.230
5.1.231
5.1.233
5.1.234
5.1.235
5.1.236
5.1.237
5.1.238
5.1.239
5.1.240
5.1.241
5.1.242
5.1.243
5.1.244
5.1.245
5.1.246
5.1.247
5.1.248
5.1.249
5.1.250
5.1.251
5.1.252
5.1.253
5.1.254
5.1.255
5.1.256
5.1.257
5.1.258
5.1.259
5.1.260
5.1.261
5.1.262
5.1.263
5.1.264
5.1.265
5.1.266
5.1.267
5.1.268
5.1.269
5.1.270
5.1.271
5.1.272
5.1.273
5.1.274
5.1.275
5.1.276
5.1.277
5.1.278
5.1.279
5.1.280
5.1.281
5.1.282
5.1.283
5.1.284
5.1.285
5.1.286
5.1.287
5.1.288
5.1.289
5.1.290
5.1.291
5.1.292
5.1.293
5.1.294
5.1.295
5.1.296
5.1.297
5.1.298
5.1.299
5.1.300
5.1.302
5.1.303
5.1.304
5.1.305
5.1.306
5.1.307
5.1.308
5.1.309
5.1.310
5.1.311
5.1.312
5.1.313
5.1.314
5.1.315
5.1.316
5.1.317
5.1.318
5.1.319
5.1.320
5.1.321
5.1.322
5.1.323
5.1.324
5.1.325
5.1.326
5.1.327
5.1.328
5.1.329
5.1.330
5.1.331
5.1.332
5.1.333
5.1.334
5.1.336
5.1.337
5.1.338
5.1.339
5.1.340
5.1.341
5.1.342
5.1.343
5.1.344
5.1.345
5.1.346
5.1.347
5.1.349
5.1.350
5.1.351
5.1.352
5.1.353
5.1.354
5.1.355
5.1.356
5.1.357
5.1.358
5.1.359
5.1.360
5.1.361
5.1.362
5.1.363
5.1.364
5.1.365
5.1.366
5.1.367
5.1.368
5.1.369
5.1.370
5.1.371
5.1.372
5.1.373
5.1.374
5.1.375
5.1.376
5.1.377
5.1.378
5.1.379
5.1.380
5.1.381
5.1.382
5.1.383
5.1.384
5.1.385
5.1.386
5.1.387
5.1.388
5.1.389
5.1.390
5.1.391
5.1.392
5.1.393
5.1.394
5.1.395
5.1.396
5.1.397
5.1.398
5.1.399
5.1.400
5.1.401
5.1.402
5.1.403
5.1.404
5.1.405
5.1.406
5.1.407
5.1.408
5.1.409
5.1.410
5.1.411
5.1.412
5.1.413
5.1.414
5.1.415
5.1.416
5.1.417
5.1.418
5.1.419
5.1.420
5.1.421
5.1.422
5.1.423
5.1.424
5.1.425
5.1.426
5.1.427
5.1.428
5.1.429
5.1.430
5.1.431
5.1.432
5.1.433
5.1.434
5.1.435
5.1.436
5.1.437
5.1.438
5.1.439
5.1.440
5.1.441
5.1.442
5.1.443
5.1.444
5.1.445
5.1.446
5.1.447
5.1.448
5.1.449
5.1.450
5.1.451
5.1.453
5.1.454
5.1.455
5.1.456
5.1.457
5.1.458
5.1.459
5.1.460
5.1.461
5.1.462
5.1.463
5.1.464
5.1.465
5.1.466
5.1.467
5.1.468
5.1.469
5.1.470
5.1.471
5.1.472
5.1.473
5.1.474
5.1.475
5.1.476
5.1.477
5.1.478
5.1.479
5.1.480
5.1.481
5.1.482
5.1.483
5.1.484
5.1.485
5.1.486
5.1.487
5.1.488
5.1.489
5.1.490
5.1.491
5.1.492
5.1.493
5.1.494
5.1.495
5.1.496
5.1.497
5.1.498
5.1.499
5.1.501
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
7.*
7.1.27
7.1.29
7.1.30
7.1.31
7.1.32
7.1.33
7.1.34
7.1.35
7.1.36
7.1.37
7.1.38
7.1.381
7.1.382
7.1.383
7.1.384
7.1.385
7.1.386
7.1.387
7.1.388
7.1.389
7.1.390
7.1.391
7.1.392
7.1.393
7.1.394
7.1.395
7.1.396
7.1.397
7.1.398
7.1.399
7.2.0
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.2.7
7.2.8
7.2.9
7.2.10
7.2.11
7.2.12
7.2.13
7.2.14
7.2.15
7.2.16
7.2.17
7.2.18
7.2.19
7.2.20
7.2.21
7.2.22
7.2.23
7.2.24
7.2.25
7.2.26
7.2.27
7.2.28
7.2.29
7.2.30
7.2.31
7.2.32
7.2.33
7.2.34
7.2.35
7.2.36
7.2.37
7.2.38
7.2.39
7.2.40
7.2.41
7.2.42
7.2.43
7.2.44
7.2.45
7.2.46
7.2.47
7.2.48
7.2.49
7.2.50
7.2.51
7.2.52
7.2.53
7.2.54
7.2.55
7.2.56
7.2.57
7.2.58
7.2.59
7.2.60
7.2.61
7.2.62
7.2.63
7.2.64
7.2.65
7.2.66
7.2.67
7.2.68
7.2.69
7.2.70
7.2.71
7.2.72
7.2.73
7.2.74
7.2.75
7.2.76
7.2.77
7.2.78
7.2.79
7.2.80
7.2.81
7.3.0
7.3.1
7.3.2
7.3.3
7.3.4
7.3.5
7.3.6
7.3.7
7.3.8
7.3.9
7.3.10
7.3.11
7.3.12
7.3.13
7.4.0
7.4.1
7.4.2
7.4.3
7.4.4
7.5.0
7.5.1
7.5.2
11.*
11.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6
11.0.7
11.0.8
11.1
11.1.1
11.1.2
11.2
11.2.1
11.2.2
11.2.3
11.2.4
11.2.5
11.2.6
11.2.7
11.2.8
11.2.9
11.2.10
11.2.11
11.2.12
11.3
11.3.1
11.4
11.4.1
11.4.2
11.4.3
11.4.4
11.4.5
11.4.6
11.4.7
11.4.8
11.4.9
11.4.10
12.*
12.0
12.0.1
12.0.2
12.0.3
12.0.4
12.0.5
12.0.6
12.0.7
12.0.8
12.0.9
12.0.10
12.0.11
12.0.12
12.0.13
12.0.14
12.1
12.1.1
12.2
12.2.1
12.2.2
12.2.3
12.2.4
12.2.5
12.2.6
12.2.7
12.2.8
12.3
12.3.1