CVE-2026-33046

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33046
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33046.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33046
Aliases
Published
2026-03-23T22:45:29.067Z
Modified
2026-04-10T05:42:34.425235Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Indico discloses local files resulting in Remote Code Execution through LaTeX injection
Details

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX snippets which can read local files or execute code with the privileges of the user running Indico on the server. Note that if server-side LaTeX rendering is not in use (ie XELATEX_PATH was not set in indico.conf), this vulnerability does not apply. It is recommended to update to Indico 3.3.12 as soon as possible. It is also strongly recommended to enable the containerized LaTeX renderer (using podman), which isolates it from the rest of the system. As a workaround, remove the XELATEX_PATH setting from indico.conf (or comment it out or set it to None) and restart the indico-uwsgi and indico-celery services to disable LaTeX functionality.

Database specific 
{
    "cwe_ids": [
        "CWE-22",
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33046.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/indico/indico

Affected ranges

Type
GIT
Repo
https://github.com/indico/indico
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2a71e43feee8b070f286343384e9a19102d7727d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.12"
        }
    ]
}

Affected versions

v0.*
v0.97b
v0.97b2
v1.*
v1.9.11.dev3
v1.9.11.dev6
v1.9.11.dev7
v1.9.11.dev8
v1.9.11.dev9
v1.9.9
v2.*
v2.0a1
v2.0rc1
v2.1
v2.1a1
v2.1a2
v2.1a3
v2.1b1
v2.1rc1
v2.1rc2
v2.1rc3
v2.1rc4
v2.1rc5
v2.1rc6
v2.2
v2.3
v2.3.1
v3.*
v3.0
v3.0rc1
v3.0rc2
v3.2
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.6+docs
v3.3
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33046.json"