tendenci is vulnerable to arbitrary code execution. The ticket_list
function in tendenci\apps\helpdesk\views\staff.py
does properly restrict variables to the deserialization process and allows an attacker to enter a pickle of arbitrary size, potentially leading to arbitrary code execution.