Tendenci

4 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2025-70960 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 5.4 MEDIUM]

XSS Tendenci
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-70959 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 5.4 MEDIUM]

XSS Tendenci
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2020-36962 CRITICAL POC Act Now

Tendenci 12.3.1 has a CSV formula injection in the contact form message field enabling code execution when administrators export and open data in spreadsheet applications.

Code Injection Tendenci
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-23946 MEDIUM POC PATCH This Month

Remote code execution in Tendenci CMS versions 15.3.11 and below allows authenticated staff users to execute arbitrary code through unsafe pickle deserialization in the Helpdesk module's reporting function. The vulnerability stems from incomplete patching of CVE-2020-14942, where the run_report() function continues to use unsafe pickle.loads() despite the ticket_list() function being corrected. Public exploit code exists for this issue, though impact is limited to the privileges of the application's runtime user.

Python RCE Deserialization Tendenci
NVD GitHub
CVSS 3.1
6.8
EPSS
0.4%
CVE-2025-70960
EPSS 0% CVSS 5.4
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 5.4 MEDIUM]

XSS Tendenci
NVD GitHub
CVE-2025-70959
EPSS 0% CVSS 5.4
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. [CVSS 5.4 MEDIUM]

XSS Tendenci
NVD GitHub
CVE-2020-36962
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Tendenci 12.3.1 has a CSV formula injection in the contact form message field enabling code execution when administrators export and open data in spreadsheet applications.

Code Injection Tendenci
NVD GitHub Exploit-DB
CVE-2026-23946
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Remote code execution in Tendenci CMS versions 15.3.11 and below allows authenticated staff users to execute arbitrary code through unsafe pickle deserialization in the Helpdesk module's reporting function. The vulnerability stems from incomplete patching of CVE-2020-14942, where the run_report() function continues to use unsafe pickle.loads() despite the ticket_list() function being corrected. Public exploit code exists for this issue, though impact is limited to the privileges of the application's runtime user.

Python RCE Deserialization +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy