CVE-2026-33046

Name of the Vulnerable Software and Affected Versions Indico versions prior to 3.3.12

Description Indico is an event management system that utilizes Flask-Multipass, a multi-backend authentication system for Flask. Due to vulnerabilities in TeXLive and obscure LaTeX syntax that circumvented Indico's LaTeX sanitizer, specially crafted LaTeX snippets could be used to read local files or execute code with the privileges of the user running Indico on the server. This issue does not apply if server-side LaTeX rendering is not in use, meaning the XELATEX PATH setting is not configured in indico.conf.

Recommendations Update to Indico version 3.3.12 as soon as possible. Enable the containerized LaTeX renderer using podman to isolate it from the rest of the system. Remove the XELATEX PATH setting from indico.conf or set it to None and restart the indico-uwsgi and indico-celery services to disable LaTeX functionality.