Pickle Rick-rolled Again: The Zombie RCE in Tendenci CMS
Jan 21, 2026·5 min read·2 visits
Executive Summary (TL;DR)
Tendenci CMS failed to fully remove unsafe `pickle` deserialization in its Helpdesk module, reviving a vulnerability thought to be dead since 2020. Authenticated staff members could achieve Remote Code Execution (RCE) by saving a malicious report query. Fixed in version 15.3.12 by replacing `pickle` with `simplejson`.
A classic case of 'patch it once, shame on you; patch it twice, shame on me.' Tendenci CMS suffered from an authenticated Remote Code Execution (RCE) vulnerability due to an incomplete fix for a 2020 issue, leaving the Helpdesk module exposed to Python pickle deserialization attacks.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Tendenci Tendenci | <= 15.3.11 | 15.3.12 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-502 (Insecure Deserialization) |
| CVSS v3.1 | 6.8 (Medium) |
| Attack Vector | Network (Authenticated) |
| Impact | Remote Code Execution (RCE) |
| Language | Python |
| Affected Component | tendenci.apps.helpdesk |
MITRE ATT&CK Mapping
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.