FKIE_CVE-2026-23946

Vulnerability from fkie_nvd - Published: 2026-01-22 01:15 - Updated: 2026-02-17 16:44
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Summary
Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12.
References
security-advisories@github.comhttps://docs.python.org/3/library/pickle.html#restricting-globalsNot Applicable
security-advisories@github.comhttps://github.com/advisories/GHSA-jqmc-fxxp-r589Not Applicable
security-advisories@github.comhttps://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1Patch
security-advisories@github.comhttps://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636Patch
security-advisories@github.comhttps://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0ePatch
security-advisories@github.comhttps://github.com/tendenci/tendenci/issues/867Exploit, Issue Tracking, Patch, Vendor Advisory
security-advisories@github.comhttps://github.com/tendenci/tendenci/releases/tag/v15.3.12Release Notes
security-advisories@github.comhttps://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
tendenci tendenci *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tendenci:tendenci:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "830362AC-5281-471F-A3E9-830713123133",
              "versionEndExcluding": "15.3.12",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python\u0027s pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12."
    },
    {
      "lang": "es",
      "value": "Tendenci es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto creado para organizaciones sin fines de lucro, asociaciones y sitios basados en causas. Las versiones 15.3.11 e inferiores incluyen una vulnerabilidad cr\u00edtica de deserializaci\u00f3n en el m\u00f3dulo Helpdesk (que no est\u00e1 habilitado por defecto). Esta vulnerabilidad permite la ejecuci\u00f3n remota de c\u00f3digo (RCE) por parte de un usuario autenticado con nivel de seguridad de personal debido al uso del m\u00f3dulo pickle de Python en helpdesk /reports/. El CVE-2020-14942 original se parche\u00f3 de forma incompleta. Aunque se corrigi\u00f3 ticket_list() para usar deserializaci\u00f3n JSON segura, la funci\u00f3n run_report() todav\u00eda usa pickle.loads() inseguro. El impacto est\u00e1 limitado a los permisos del usuario que ejecuta la aplicaci\u00f3n, t\u00edpicamente www-data, que generalmente carece de permisos de escritura (excepto para directorios de carga) y ejecuci\u00f3n. Este problema ha sido corregido en la versi\u00f3n 15.3.12."
    }
  ],
  "id": "CVE-2026-23946",
  "lastModified": "2026-02-17T16:44:09.617",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-22T01:15:52.467",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://docs.python.org/3/library/pickle.html#restricting-globals"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://github.com/advisories/GHSA-jqmc-fxxp-r589"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/tendenci/tendenci/issues/867"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/tendenci/tendenci/releases/tag/v15.3.12"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        },
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.