—

PYSEC-2026-136

상세

Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / tendenci

최초 영향 버전: 0

No fixed version published yet for tendenci (pip). Pin to a known-safe version or switch to an alternative.

참고

https://www.tendenci.com/ [WEB]
https://www.vulncheck.com/advisories/tendenci-csv-formula-injection [ADVISORY]
https://github.com/tendenci/tendenci [PACKAGE]
https://www.exploit-db.com/exploits/49145 [EVIDENCE]