CVE-2020-36962
published 2026-01-28CVE-2020-36962: Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
10.68%
95.3th percentile
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tendenci | tendenci | — | — |
| tendenci | tendenci | >= 0 < 12.3.2 | 12.3.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4q3w-jgfx-4792: Tendenci 12
ghsa_unreviewed·2026-01-28
CVE-2020-36962 [MEDIUM] CWE-1236 GHSA-4q3w-jgfx-4792: Tendenci 12
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.
GHSA
Tendenci is Vulnerable to CSV Formula Injection through its Contact Form Message Field
ghsa·2026-01-28
CVE-2020-36962 [MEDIUM] CWE-1236 Tendenci is Vulnerable to CSV Formula Injection through its Contact Form Message Field
Tendenci is Vulnerable to CSV Formula Injection through its Contact Form Message Field
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-01-28
Published