GHSA-4q3w-jgfx-4792MediumCVSS 9.8

Tendenci is Vulnerable to CSV Formula Injection through its Contact Form Message Field

Published
January 28, 2026
Last Modified
June 9, 2026

🔗 CVE IDs covered (1)

📋 Description

Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.

🎯 Affected products1

  • pip/tendenci:< 12.3.2

🔗 References (8)