—

PYSEC-2026-136

Details

Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / tendenci

Introduced in: 0

No fixed version published yet for tendenci (pip). Pin to a known-safe version or switch to an alternative.

References

https://www.tendenci.com/ [WEB]
https://www.vulncheck.com/advisories/tendenci-csv-formula-injection [ADVISORY]
https://github.com/tendenci/tendenci [PACKAGE]
https://www.exploit-db.com/exploits/49145 [EVIDENCE]