Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX snippets which can read local files or execute code with the privileges of the user running Indico on the server. Note that if server-side LaTeX rendering is not in use (ie `XELATEX_PATH` was not set in `indico.conf`), this vulnerability does not apply. It is recommended to update to Indico 3.3.12 as soon as possible. It is also strongly recommended to enable the containerized LaTeX renderer (using `podman`), which isolates it from the rest of the system. As a workaround, remove the `XELATEX_PATH` setting from `indico.conf` (or comment it out or set it to `None`) and restart the `indico-uwsgi` and `indico-celery` services to disable LaTeX functionality.
Published: 2026-03-23
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via LaTeX injection
Action: Immediate Patch
AI Analysis

Impact

A flaw in the LaTeX sanitizer of Indico allows specially crafted LaTeX snippets to bypass security checks and access local files or execute code with the privileges of the process running the server. This can lead to full system compromise if the server’s LaTeX renderer is enabled. If the server is not configured to run server‑side LaTeX (XELATEX_PATH unset), this vulnerability does not apply.

Affected Systems

Indico, the event management platform used by CERN. Versions earlier than 3.3.12 are affected. The vulnerability is tied to the TeXLive integration and the LaTeX sanitizer in these releases.

Risk and Exploitability

The CVSS score of 7.7 reflects a high severity RCE. The EPSS score of less than 1% indicates a low probability of widespread exploitation, and the vulnerability is not listed on the CISA KEV list. Attack likely involves providing a malicious LaTeX payload through the web interface, which the rendering engine processes and executes on the server, allowing an attacker to read files or run arbitrary commands with process privileges.

Generated by OpenCVE AI on March 24, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Indico to version 3.3.12 or later.
  • Enable the containerized LaTeX renderer using podman to isolate processing.
  • As a temporary workaround, remove or comment out the XELATEX_PATH setting in indico.conf and restart the indico-uwsgi and indico-celery services to disable LaTeX rendering.

Generated by OpenCVE AI on March 24, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rm2q-f7jv-3cfp Indico discloses local files resulting in Remote Code Execution through LaTeX injection
History

Tue, 24 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Cern
Cern indico
CPEs cpe:2.3:a:cern:indico:*:*:*:*:*:*:*:*
Vendors & Products Cern
Cern indico
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Indico
Indico indico
Vendors & Products Indico
Indico indico

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX snippets which can read local files or execute code with the privileges of the user running Indico on the server. Note that if server-side LaTeX rendering is not in use (ie `XELATEX_PATH` was not set in `indico.conf`), this vulnerability does not apply. It is recommended to update to Indico 3.3.12 as soon as possible. It is also strongly recommended to enable the containerized LaTeX renderer (using `podman`), which isolates it from the rest of the system. As a workaround, remove the `XELATEX_PATH` setting from `indico.conf` (or comment it out or set it to `None`) and restart the `indico-uwsgi` and `indico-celery` services to disable LaTeX functionality.
Title Indico discloses local files resulting in Remote Code Execution through LaTeX injection
Weaknesses CWE-22
CWE-78
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cern Indico
Indico Indico
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T13:42:19.688Z

Reserved: 2026-03-17T18:10:50.211Z

Link: CVE-2026-33046

cve-icon Vulnrichment

Updated: 2026-03-24T13:42:16.058Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T23:17:12.520

Modified: 2026-03-24T21:51:13.703

Link: CVE-2026-33046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:11Z

Weaknesses