Headline
GHSA-339m-4qw5-j2g3: Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization
A critical deserialization vulnerability exists in Tendenci Helpdesk module (NOTE, by default, Helpdesk is NOT enabled), affecting the version 15.3.11 and earlier. This vulnerability allows remote code execution (RCE) by an authenticated user with staff security level due to using Python’s pickle module on the helpdesk /reports/. The damage is contained to the user that your Tendenci application runs.
Key Finding: The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads().
Permission Scoping: The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions.
Vulnerability Details
Affected Version
- Version: Tendenci 15.3.11 and earlier (all versions since incomplete CVE-2020-14942 patch)
- Component:
tendenci/apps/helpdesk/views/staff.py
Related CVE
- CVE-2020-14942: Original pickle deserialization vulnerability (partially patched)
- GitHub Advisory: GHSA-jqmc-fxxp-r589
- Original Issue: https://github.com/tendenci/tendenci/issues/867
Tendenci User Role Hierarchy
| Level | Role | Description |
|---|---|---|
| 0 | is_superuser | Highest privilege - full Django admin |
| 1 | is_staff | user with Staff security level - can access helpdesk module |
| 2 | Authenticated User | Basic user access |
| 3 | Anonymous User | Public read-only access |
is_staff is a commonly assigned role (by a superuser) for helpdesk operators who manage support tickets - not system administrators.
Code Comparison (Patched vs Vulnerable)
| Function | Line | Deserialization | Status |
|---|---|---|---|
ticket_list() | 763 | simplejson.loads() | ✅ SAFE |
run_report() | 1062 | pickle.loads() | ❌ VULNERABLE |
Why This Qualifies for CVE Assignment
This vulnerability represents an incomplete patch bypass for CVE-2020-14942 with a clear exploitation path. The flaw allows a malicious user with Staff security level to achieve Remote Code Execution via Python’s pickle.loads. Though the damage is contained to the user that your Tendenci application runs.
Remediation
Update Tendenci to the latest version (v15.3.12 as of now) immediately if you have Helpdesk enabled. Note that Helpdesk is not enabled by default. All of our hosted sites have been patched, although none of our client sites have the Helpdesk enabled.
References
- Tendenci GitHub: https://github.com/tendenci/tendenci
- CVE-2020-14942: https://nvd.nist.gov/vuln/detail/CVE-2020-14942
- GitHub Advisory: https://github.com/advisories/GHSA-jqmc-fxxp-r589
- Original Issue: https://github.com/tendenci/tendenci/issues/867
- CWE-502: https://cwe.mitre.org/data/definitions/502.html
- Python Pickle Security: https://docs.python.org/3/library/pickle.html#restricting-globals
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-23946
Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization
Moderate severity GitHub Reviewed Published Jan 21, 2026 in tendenci/tendenci • Updated Jan 21, 2026
Package
pip tendenci (pip)
Affected versions
< 15.3.12
Description
Published to the GitHub Advisory Database
Jan 21, 2026
Last updated
Jan 21, 2026
EPSS score