CVE-2026-25739

MEDIUM EPSS 5.7%
Published Feb 19, 20264mo ago · Modified Jun 17, 20262w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Feb 19, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material download endpoints, and/or only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.

CVSS Details

Base Score
5.4
Exploitability
2.3
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
5.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
cernindico* <3.3.10

References 2

  • github.com https://github.com/indico/indico/releases/tag/v3.3.10
    Release Notes
  • github.com https://github.com/indico/indico/security/advisories/GHSA-jxc4-54g3-j7vp
    PatchVendor Advisory

Remediation

  • github.com https://github.com/indico/indico/security/advisories/GHSA-jxc4-54g3-j7vp
    PatchVendor Advisory