Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material download endpoints, and/or only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.
Published: 2026-02-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

Indico, an event‑management platform, is affected by a cross‑site scripting flaw that occurs when users upload certain file types as materials in versions prior to 3.3.10. The vulnerability permits malicious JavaScript to be injected into the page that displays the uploaded material, allowing an attacker to execute code within the context of any user who views the material. The impact is limited to the content displayed to users, and an attacker could alter the appearance of the page or deliver malicious payloads when the script runs in the victim’s browser.

Affected Systems

The affected product is CERN’s Indico event‑management system (indico:indico). All releases older than v3.3.10 are impacted. Versions 3.3.10 and newer contain the fix that removes the XSS vector.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% indicates that the vulnerability is considered unlikely to be widely exploited at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated user able to upload a specially crafted material file; after upload any other user who views the material will be exposed to the injected script. Updating to v3.3.10 removes the vulnerability. For deployments that cannot be upgraded immediately, applying the strict Content‑Security‑Policy for material download endpoints via the web‑server configuration (or limiting upload privileges to trusted users) can mitigate the risk.

Generated by OpenCVE AI on April 18, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Indico to version 3.3.10 or later to apply the XSS fix.
  • If your deployment uses nginx with the STATIC_FILE_METHOD set to xaccelredirect, update the web‑server configuration to enforce the new strict Content‑Security‑Policy for material download endpoints.
  • Restrict material upload privileges to trusted users such as speakers or administrators.

Generated by OpenCVE AI on April 18, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jxc4-54g3-j7vp Indico Affected by Cross-Site-Scripting via material uploads
History

Thu, 26 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Cern
Cern indico
CPEs cpe:2.3:a:cern:indico:*:*:*:*:*:*:*:*
Vendors & Products Cern
Cern indico

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Indico
Indico indico
Vendors & Products Indico
Indico indico

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material download endpoints, and/or only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.
Title Indico affected by Cross-Site-Scripting via material uploads
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Cern Indico
Indico Indico
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T19:49:22.187Z

Reserved: 2026-02-05T16:48:00.428Z

Link: CVE-2026-25739

cve-icon Vulnrichment

Updated: 2026-02-19T19:49:13.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T16:27:15.270

Modified: 2026-02-26T02:56:29.780

Link: CVE-2026-25739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses