2026-01-28 17:35:08
VulnCheck
PUBLISHED
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like =10+20+cmd| /C calc!A0 in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications.