CVE-2020-36962

CriticalPublic PoC

Published: 28 January 2026

Published

28 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command…

execution when the CSV is opened in spreadsheet applications.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents formula injection by validating and sanitizing user inputs in the contact form message field to block malicious payloads like '=10+20+cmd|/C calc!A0'.

SI-15 Information Output Filtering good match

prevent

SI-15 filters outputs during CSV export to encode or escape message field content, preventing spreadsheet applications from interpreting injected formulas as executable commands.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, testing, and correction of the specific flaw in Tendenci 12.3.1, eliminating the CSV formula injection vulnerability.

Security SummaryAI

CVE-2020-36962 is a CSV formula injection vulnerability in Tendenci 12.3.1, specifically within the contact form message field. Attackers can inject malicious formulas into submitted messages, which are then included in exported CSV files. When these files are opened in spreadsheet applications, the formulas can execute. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-1236.

Unauthenticated remote attackers can exploit this issue by submitting crafted payloads, such as '=10+20+cmd|/C calc!A0', through the contact form. If a site administrator exports the form data to CSV and subsequently opens the file in a compatible spreadsheet program, the payload triggers arbitrary command execution on the administrator's system, resulting in high impacts to confidentiality, integrity, and availability.

Advisories and references, including the Vulncheck advisory at https://www.vulncheck.com/advisories/tendenci-csv-formula-injection and an exploit at https://www.exploit-db.com/exploits/49145, provide additional details. The Tendenci GitHub repository (https://github.com/tendenci/tendenci) and official site (https://www.tendenci.com/) offer resources for further investigation into patches or mitigations. The CVE was published on 2026-01-28T18:16:46.277.

Details

CWE(s): CWE-1236

Affected Products

tendenci

12.3.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Unauthenticated exploitation of public-facing web application contact form (T1190) injects malicious formulas into CSV exports, enabling user execution via malicious file when opened in spreadsheet applications (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/tendenci/tendenci
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49145
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.tendenci.com/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/tendenci-csv-formula-injection
Third Party Advisory · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49145
Exploit, Third Party Advisory, VDB Entry · 134c704f-9b21-4f2e-91b3-4a467353bcc0