CVE-2026-23946

Name of the Vulnerable Software and Affected Versions Tendenci versions 15.3.11 and earlier

Description Tendenci, an open source content management system, has a critical deserialization issue in the Helpdesk module. An authenticated user with staff security level can achieve Remote Code Execution (RCE) due to the use of Python's pickle module in the helpdesk /reports/ functionality. The original vulnerability, addressed by CVE-2020-14942, was incompletely patched. While the ticket list() function was updated to use safe JSON deserialization, the run report() function continues to use the unsafe pickle.loads() function. The impact of a successful exploit is limited to the permissions of the user account running the application, typically www-data. The run report() function is located in tendenci/apps/helpdesk/views/staff.py.

Recommendations Update Tendenci to version 15.3.12 or later.