Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/113701?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/113701?format=api", "purl": "pkg:pypi/indico@3.3.12", "type": "pypi", "namespace": "", "name": "indico", "version": "3.3.12", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91457?format=api", "vulnerability_id": "VCID-px34-3ut4-cyeu", "summary": "Indico discloses local files resulting in Remote Code Execution through LaTeX injection\n> [!NOTE]\n> If server-side LaTeX rendering is not in use (ie `XELATEX_PATH` was not set in `indico.conf`), this vulnerability does not apply.\n\n### Impact\nDue to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX snippets which can read local files or execute code with the privileges of the user running Indico on the server.\n\n### Patches\nIt is recommended to update to [Indico 3.3.12](https://github.com/indico/indico/releases/tag/v3.3.12) as soon as possible.\nSee [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.\n\nIt is also strongly recommended to enable the containerized LaTeX renderer (using `podman`), which isolates it from the rest of the system. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/#upgrading-to-3-3-12) for details - it is very easy and from now on the only recommended/supported way of using LaTeX.\n\n### Workarounds\nRemove the `XELATEX_PATH` setting from `indico.conf` (or comment it out or set it to `None`) and restart the `indico-uwsgi` and `indico-celery` services to disable LaTeX functionality.\n\n### For more information\nFor any questions or comments about this advisory:\n\n- Open a thread in [the forum](https://talk.getindico.io/)\n- Send an email to [indico-team@cern.ch](mailto:indico-team@cern.ch)", "references": [ { "reference_url": "https://github.com/indico/indico", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/indico/indico" }, { "reference_url": "https://github.com/indico/indico/commit/0adb70f0ed66e129361d447868f5f3eb90dc5e96", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/indico/indico/commit/0adb70f0ed66e129361d447868f5f3eb90dc5e96" }, { "reference_url": "https://github.com/indico/indico/commit/1dbb12525b3de14229bf4d1ae192988068f975f6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/indico/indico/commit/1dbb12525b3de14229bf4d1ae192988068f975f6" }, { "reference_url": "https://github.com/indico/indico/commit/5f24d23ce9c4b0e4b68b3d0b58987a948fc57c8a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/indico/indico/commit/5f24d23ce9c4b0e4b68b3d0b58987a948fc57c8a" }, { "reference_url": "https://github.com/indico/indico/commit/fb169ced710c30cf792ce4b9f48688db0633cfd8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/indico/indico/commit/fb169ced710c30cf792ce4b9f48688db0633cfd8" }, { "reference_url": "https://github.com/indico/indico/releases/tag/v3.3.12", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/indico/indico/releases/tag/v3.3.12" }, { "reference_url": "https://github.com/indico/indico/security/advisories/GHSA-rm2q-f7jv-3cfp", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/indico/indico/security/advisories/GHSA-rm2q-f7jv-3cfp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33046", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33046" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113701?format=api", "purl": "pkg:pypi/indico@3.3.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.12" } ], "aliases": [ "CVE-2026-33046", "GHSA-rm2q-f7jv-3cfp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-px34-3ut4-cyeu" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.12" }