Deserialization Flaw in Tendenci Helpdesk Module by Tendenci
CVE-2026-23946

6.8MEDIUM

Key Information:

Vendor

Tendenci

Status
Tendenci
Vendor
CVE Published:
22 January 2026

What is CVE-2026-23946?

The Tendenci platform, an open-source content management system designed for non-profits, contains a deserialization vulnerability in its Helpdesk module impacting versions up to 15.3.11. This flaw arises when using the Python 'pickle' module within the helpdesk/reports/ interface, which can enable remote code execution by an authenticated user with staff-level privileges. Although previous vulnerabilities were addressed, the run_report() function still relies on the insecure pickle.loads() function, leaving the system open for exploitation. Users are urged to update to version 15.3.12 where this issue has been resolved.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

tendenci < 15.3.12

References

https://github.com/tendenci/tendenci/security/advisories/...
x_refsource_CONFIRM
https://github.com/tendenci/tendenci/issues/867
x_refsource_MISC
https://github.com/tendenci/tendenci/commit/23d9fd85ab765...
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.