CVE-2026-25739

Name of the Vulnerable Software and Affected Versions Indico versions prior to 3.3.10

Description Indico, an event management system, is susceptible to a cross-site scripting issue when specific file types are uploaded as materials. The issue exists due to a flaw in the handling of file uploads. The system uses Flask-Multipass, a multi-backend authentication system for Flask. There is no information about the number of potentially affected devices worldwide or any real-world incidents where this issue was exploited. The vulnerable component is related to material upload functionality.

Recommendations Upgrade to version 3.3.10 to resolve the issue. If using nginx with Indico's STATIC FILE METHOD set to xaccelredirect, update the webserver configuration to include the following line in the .xsf/indico/ location block: add header Content-Security-Policy $upstream http content security policy;. As a workaround, apply a strict Content Security Policy for material download endpoints using your webserver configuration. As a workaround, restrict content creation, including material uploads, to trustworthy users only.