Description
Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12.
Published: 2026-01-22
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution (authenticated staff user)
Action: Apply Patch
AI Analysis

Impact

Tendenci is an open‑source content management system. In versions 15.3.11 and older, the Helpdesk module contains a flaw that allows an authenticated user with staff privileges to run arbitrary code. The vulnerability stems from the run_report function, which deserializes user‑supplied data using Python’s pickle.loads on the helpdesk /reports/ endpoint. Because pickle can instantiate any Python object, a crafted payload can cause the application to execute malicious code when it runs under the web server’s user.

Affected Systems

The affected product is Tendenci CMS, versions 15.3.11 and earlier. The Helpdesk module is not enabled by default, but any deployment that has left the module active is vulnerable.

Risk and Exploitability

The CVSS base score is 6.8, indicating moderate severity. The EPSS score is below 1%, reflecting a very low likelihood of exploitation. The issue is not listed in the CISA KEV catalog. The attack requires staff‑level authentication to access the report feature; once authenticated, the attacker can execute code with the privileges of the web server user, which typically cannot write or execute outside designated directories.

Generated by OpenCVE AI on April 18, 2026 at 04:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Tendenci v15.3.12 or later where the run_report function has been removed.
  • If updating immediately is not possible, disable the Helpdesk module or restrict access to the reports endpoint so that only trusted users can invoke it.
  • Ensure the web server runs under a user with the minimal necessary privileges and review file permissions for upload directories; consider removing executable permissions from the web root if appropriate.

Generated by OpenCVE AI on April 18, 2026 at 04:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-339m-4qw5-j2g3 Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization
History

Tue, 17 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tendenci:tendenci:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Tendenci
Tendenci tendenci
Vendors & Products Tendenci
Tendenci tendenci

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12.
Title Tendenci has Authenticated Remote Code Execution via Pickle Deserialization
Weaknesses CWE-502
CWE-94
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Tendenci Tendenci
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T21:50:51.715Z

Reserved: 2026-01-19T14:49:06.311Z

Link: CVE-2026-23946

cve-icon Vulnrichment

Updated: 2026-01-22T21:50:46.968Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T01:15:52.467

Modified: 2026-02-17T16:44:09.617

Link: CVE-2026-23946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses