GHSA-RM2Q-F7JV-3CFP

Vulnerability from github – Published: 2026-03-23 20:43 – Updated: 2026-03-25 20:46
VLAI?
Summary
Indico discloses local files resulting in Remote Code Execution through LaTeX injection
Details

[!NOTE] If server-side LaTeX rendering is not in use (ie XELATEX_PATH was not set in indico.conf), this vulnerability does not apply.

Impact

Due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX snippets which can read local files or execute code with the privileges of the user running Indico on the server.

Patches

It is recommended to update to Indico 3.3.12 as soon as possible. See the docs for instructions on how to update.

It is also strongly recommended to enable the containerized LaTeX renderer (using podman), which isolates it from the rest of the system. See the docs for details - it is very easy and from now on the only recommended/supported way of using LaTeX.

Workarounds

Remove the XELATEX_PATH setting from indico.conf (or comment it out or set it to None) and restart the indico-uwsgi and indico-celery services to disable LaTeX functionality.

For more information

For any questions or comments about this advisory:

Severity ?
7.7 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "indico"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-23T20:43:43Z",
    "nvd_published_at": "2026-03-23T23:17:12Z",
    "severity": "HIGH"
  },
  "details": "\u003e [!NOTE]\n\u003e If server-side LaTeX rendering is not in use (ie `XELATEX_PATH` was not set in `indico.conf`), this vulnerability does not apply.\n\n### Impact\nDue to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico\u0027s LaTeX sanitizer, it is possible to use specially-crafted LaTeX snippets which can read local files or execute code with the privileges of the user running Indico on the server.\n\n### Patches\nIt is recommended to update to [Indico 3.3.12](https://github.com/indico/indico/releases/tag/v3.3.12) as soon as possible.\nSee [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.\n\nIt is also strongly recommended to enable the containerized LaTeX renderer (using `podman`), which isolates it from the rest of the system. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/#upgrading-to-3-3-12) for details - it is very easy and from now on the only recommended/supported way of using LaTeX.\n\n### Workarounds\nRemove the `XELATEX_PATH` setting from `indico.conf` (or comment it out or set it to `None`) and restart the `indico-uwsgi` and `indico-celery` services to disable LaTeX functionality.\n\n### For more information\nFor any questions or comments about this advisory:\n\n- Open a thread in [the forum](https://talk.getindico.io/)\n- Send an email to [indico-team@cern.ch](mailto:indico-team@cern.ch)",
  "id": "GHSA-rm2q-f7jv-3cfp",
  "modified": "2026-03-25T20:46:37Z",
  "published": "2026-03-23T20:43:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/security/advisories/GHSA-rm2q-f7jv-3cfp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33046"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/commit/0adb70f0ed66e129361d447868f5f3eb90dc5e96"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/commit/1dbb12525b3de14229bf4d1ae192988068f975f6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/commit/5f24d23ce9c4b0e4b68b3d0b58987a948fc57c8a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/commit/fb169ced710c30cf792ce4b9f48688db0633cfd8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/indico/indico"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/releases/tag/v3.3.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Indico discloses local files resulting in Remote Code Execution through LaTeX injection "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.