RCE in Indico

CVE-2026-33046

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's La…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.001 (29.6th percentile) — read the EPSS interpretation.

Affected products

Indico — versions < 3.3.12

Weakness classification (CWE)

References

https://github.com/indico/indico/security/advisories/GHSA-rm2q-f7jv-3cfp (x_refsource_CONFIRM)
https://github.com/indico/indico/commit/0adb70f0ed66e129361d447868f5f3eb90dc5e96 (x_refsource_MISC)
https://github.com/indico/indico/commit/1dbb12525b3de14229bf4d1ae192988068f975f6 (x_refsource_MISC)
https://github.com/indico/indico/commit/5f24d23ce9c4b0e4b68b3d0b58987a948fc57c8a (x_refsource_MISC)
https://github.com/indico/indico/commit/fb169ced710c30cf792ce4b9f48688db0633cfd8 (x_refsource_MISC)
https://github.com/indico/indico/releases/tag/v3.3.12 (x_refsource_MISC)