CVE-2020-36962
Published: 28 January 2026
Summary
CVE-2020-36962 is a critical-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Tendenci Tendenci. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents formula injection by validating and sanitizing user inputs in the contact form message field to block malicious payloads like '=10+20+cmd|/C calc!A0'.
SI-15 filters outputs during CSV export to encode or escape message field content, preventing spreadsheet applications from interpreting injected formulas as executable commands.
SI-2 mandates identification, reporting, testing, and correction of the specific flaw in Tendenci 12.3.1, eliminating the CSV formula injection vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated exploitation of public-facing web application contact form (T1190) injects malicious formulas into CSV exports, enabling user execution via malicious file when opened in spreadsheet applications (T1204.002).
NVD Description
Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like '=10+20+cmd|' /C calc'!A0' in the message field to trigger arbitrary command…
more
execution when the CSV is opened in spreadsheet applications.
Deeper analysisAI
CVE-2020-36962 is a CSV formula injection vulnerability in Tendenci 12.3.1, specifically within the contact form message field. Attackers can inject malicious formulas into submitted messages, which are then included in exported CSV files. When these files are opened in spreadsheet applications, the formulas can execute. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-1236.
Unauthenticated remote attackers can exploit this issue by submitting crafted payloads, such as '=10+20+cmd|/C calc!A0', through the contact form. If a site administrator exports the form data to CSV and subsequently opens the file in a compatible spreadsheet program, the payload triggers arbitrary command execution on the administrator's system, resulting in high impacts to confidentiality, integrity, and availability.
Advisories and references, including the Vulncheck advisory at https://www.vulncheck.com/advisories/tendenci-csv-formula-injection and an exploit at https://www.exploit-db.com/exploits/49145, provide additional details. The Tendenci GitHub repository (https://github.com/tendenci/tendenci) and official site (https://www.tendenci.com/) offer resources for further investigation into patches or mitigations. The CVE was published on 2026-01-28T18:16:46.277.
Details
- CWE(s)