CVE-2026-25739

MEDIUM

Indico < 3.3.10 - Stored Cross-Site Scripting via Material File Upload

Title source: llm

Description

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material download endpoints, and/or only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/indico/indico/security/advisories/GHSA-jxc4-54g3-j7vp

Release Notes x_refsource_misc

https://github.com/indico/indico/releases/tag/v3.3.10

Scores

CVSS v3 5.4

EPSS 0.0006

EPSS Percentile 18.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

cern/indico < 3.3.10

pypi/indico 0 - 3.3.10PyPI

Published Feb 19, 2026

Tracked Since Feb 19, 2026