Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/indico@3.3.2
Typepypi
Namespace
Nameindico
Version3.3.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.3.12
Latest_non_vulnerable_version3.3.12
Affected_by_vulnerabilities
0
url VCID-3ev2-cjep-w3fd
vulnerability_id VCID-3ev2-cjep-w3fd
summary Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the `next` URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users. Indico 3.3.4 upgrades the dependency on Flask-Multipass to version 0.5.5, which fixes the issue. Those who build the Indico package themselves and cannot upgrade can update the `flask-multipass` dependency to `>=0.5.5` which fixes the vulnerability. Otherwise one could configure one's web server to disallow requests containing a query string with a `next` parameter that starts with `javascript:`.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45399
reference_id
reference_type
scores
0
value 0.00809
scoring_system epss
scoring_elements 0.74594
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45399
1
reference_url https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T20:17:25Z/
url https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a
2
reference_url https://github.com/indico/indico
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indico/indico
3
reference_url https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T20:17:25Z/
url https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f
4
reference_url https://github.com/indico/indico/releases/tag/v3.3.4
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T20:17:25Z/
url https://github.com/indico/indico/releases/tag/v3.3.4
5
reference_url https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-04T20:17:25Z/
url https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/indico/PYSEC-2024-90.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/indico/PYSEC-2024-90.yaml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45399
reference_id CVE-2024-45399
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45399
8
reference_url https://github.com/advisories/GHSA-rrqf-w74j-24ff
reference_id GHSA-rrqf-w74j-24ff
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rrqf-w74j-24ff
fixed_packages
0
url pkg:pypi/indico@3.3.4
purl pkg:pypi/indico@3.3.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-c98b-cth4-1yf3
1
vulnerability VCID-m3r7-uja3-ybge
2
vulnerability VCID-nzny-2gtr-9yby
3
vulnerability VCID-px34-3ut4-cyeu
4
vulnerability VCID-rdjk-wdan-aucm
5
vulnerability VCID-yduc-fh4z-3ueu
6
vulnerability VCID-z8zh-5u9q-d7hx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.4
aliases CVE-2024-45399, GHSA-rrqf-w74j-24ff, PYSEC-2024-90
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3ev2-cjep-w3fd
1
url VCID-c98b-cth4-1yf3
vulnerability_id VCID-c98b-cth4-1yf3
summary 
Indico vulnerability allows attackers to bulk dump user details
An endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-53640
reference_id
reference_type
scores
0
value 0.00174
scoring_system epss
scoring_elements 0.38626
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-53640
1
reference_url https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T15:00:08Z/
url https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH
2
reference_url https://docs.getindico.io/en/stable/installation/upgrade
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T15:00:08Z/
url https://docs.getindico.io/en/stable/installation/upgrade
3
reference_url https://github.com/indico/indico
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indico/indico
4
reference_url https://github.com/indico/indico/pull/6936/commits/f8583557a3da56aeea8857ae69bf17c9066c95c1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indico/indico/pull/6936/commits/f8583557a3da56aeea8857ae69bf17c9066c95c1
5
reference_url https://github.com/indico/indico/releases/tag/v3.3.7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T15:00:08Z/
url https://github.com/indico/indico/releases/tag/v3.3.7
6
reference_url https://www.vicarius.io/vsociety/posts/cve202553640-detect-indico-vulnerability
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.vicarius.io/vsociety/posts/cve202553640-detect-indico-vulnerability
7
reference_url https://www.vicarius.io/vsociety/posts/cve202553640-mitigate-indico-vulnerability
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.vicarius.io/vsociety/posts/cve202553640-mitigate-indico-vulnerability
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-53640
reference_id CVE-2025-53640
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-53640
9
reference_url https://github.com/advisories/GHSA-q28v-664f-q6wj
reference_id GHSA-q28v-664f-q6wj
reference_type
scores
url https://github.com/advisories/GHSA-q28v-664f-q6wj
10
reference_url https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj
reference_id GHSA-q28v-664f-q6wj
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-15T15:00:08Z/
url https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj
fixed_packages
0
url pkg:pypi/indico@3.3.7
purl pkg:pypi/indico@3.3.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-m3r7-uja3-ybge
1
vulnerability VCID-nzny-2gtr-9yby
2
vulnerability VCID-px34-3ut4-cyeu
3
vulnerability VCID-rdjk-wdan-aucm
4
vulnerability VCID-yduc-fh4z-3ueu
5
vulnerability VCID-z8zh-5u9q-d7hx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.7
aliases CVE-2025-53640, GHSA-q28v-664f-q6wj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c98b-cth4-1yf3
2
url VCID-gwzf-9uat-akcr
vulnerability_id VCID-gwzf-9uat-akcr
summary 
Indico Insecure Access
A Broken Object Level Authorization (BOLA) vulnerability in Indico v3.2.9 allows attackers to access sensitive information via sending a crafted POST request to the component /api/principals.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-50633
reference_id
reference_type
scores
0
value 0.09014
scoring_system epss
scoring_elements 0.9279
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-50633
1
reference_url https://github.com/cetinpy/CVE-2024-50633/issues/1
reference_id
reference_type
scores
0
value 0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
1
value 0.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-17T17:21:51Z/
url https://github.com/cetinpy/CVE-2024-50633/issues/1
2
reference_url https://github.com/indico/indico
reference_id
reference_type
scores
0
value 0.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indico/indico
3
reference_url https://github.com/cetinpy/CVE-2024-50633
reference_id CVE-2024-50633
reference_type
scores
0
value 0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
1
value 0.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-17T17:21:51Z/
url https://github.com/cetinpy/CVE-2024-50633
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-50633
reference_id CVE-2024-50633
reference_type
scores
0
value 0.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-50633
5
reference_url https://github.com/advisories/GHSA-3wg7-r7q5-r2jf
reference_id GHSA-3wg7-r7q5-r2jf
reference_type
scores
url https://github.com/advisories/GHSA-3wg7-r7q5-r2jf
fixed_packages
0
url pkg:pypi/indico@3.3.3
purl pkg:pypi/indico@3.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ev2-cjep-w3fd
1
vulnerability VCID-c98b-cth4-1yf3
2
vulnerability VCID-m3r7-uja3-ybge
3
vulnerability VCID-nzny-2gtr-9yby
4
vulnerability VCID-px34-3ut4-cyeu
5
vulnerability VCID-rdjk-wdan-aucm
6
vulnerability VCID-yduc-fh4z-3ueu
7
vulnerability VCID-z8zh-5u9q-d7hx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.3
aliases CVE-2024-50633, GHSA-3wg7-r7q5-r2jf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gwzf-9uat-akcr
3
url VCID-m3r7-uja3-ybge
vulnerability_id VCID-m3r7-uja3-ybge
summary 
Indico may disclose unauthorized user details access via legacy API
A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59034
reference_id
reference_type
scores
0
value 0.00052
scoring_system epss
scoring_elements 0.16534
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59034
1
reference_url https://github.com/indico/indico
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indico/indico
2
reference_url https://github.com/indico/indico/releases/tag/v3.3.8
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-11T14:27:11Z/
url https://github.com/indico/indico/releases/tag/v3.3.8
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59034
reference_id CVE-2025-59034
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59034
4
reference_url https://github.com/advisories/GHSA-4269-mcfh-cp7q
reference_id GHSA-4269-mcfh-cp7q
reference_type
scores
url https://github.com/advisories/GHSA-4269-mcfh-cp7q
5
reference_url https://github.com/indico/indico/security/advisories/GHSA-4269-mcfh-cp7q
reference_id GHSA-4269-mcfh-cp7q
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-11T14:27:11Z/
url https://github.com/indico/indico/security/advisories/GHSA-4269-mcfh-cp7q
fixed_packages
0
url pkg:pypi/indico@3.3.8
purl pkg:pypi/indico@3.3.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-nzny-2gtr-9yby
1
vulnerability VCID-px34-3ut4-cyeu
2
vulnerability VCID-rdjk-wdan-aucm
3
vulnerability VCID-z8zh-5u9q-d7hx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.8
aliases CVE-2025-59034, GHSA-4269-mcfh-cp7q
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m3r7-uja3-ybge
4
url VCID-nzny-2gtr-9yby
vulnerability_id VCID-nzny-2gtr-9yby
summary 
Indico has Server-Side Request Forgery (SSRF) in multiple places
Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality, but of course it is never intended to let you access "special" targets such as localhost or cloud metadata endpoints.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25738
reference_id
reference_type
scores
0
value 0.00065
scoring_system epss
scoring_elements 0.20317
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25738
1
reference_url https://github.com/indico/indico
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indico/indico
2
reference_url https://github.com/indico/indico/commit/70d341826116fac5868719a6133f2c26d9345137
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T17:22:45Z/
url https://github.com/indico/indico/commit/70d341826116fac5868719a6133f2c26d9345137
3
reference_url https://github.com/indico/indico/releases/tag/v3.3.10
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T17:22:45Z/
url https://github.com/indico/indico/releases/tag/v3.3.10
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25738
reference_id CVE-2026-25738
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25738
5
reference_url https://github.com/advisories/GHSA-f47c-3c5w-v7p4
reference_id GHSA-f47c-3c5w-v7p4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f47c-3c5w-v7p4
6
reference_url https://github.com/indico/indico/security/advisories/GHSA-f47c-3c5w-v7p4
reference_id GHSA-f47c-3c5w-v7p4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T17:22:45Z/
url https://github.com/indico/indico/security/advisories/GHSA-f47c-3c5w-v7p4
fixed_packages
0
url pkg:pypi/indico@3.3.10
purl pkg:pypi/indico@3.3.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-px34-3ut4-cyeu
1
vulnerability VCID-rdjk-wdan-aucm
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.10
aliases CVE-2026-25738, GHSA-f47c-3c5w-v7p4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nzny-2gtr-9yby
5
url VCID-px34-3ut4-cyeu
vulnerability_id VCID-px34-3ut4-cyeu
summary 
Indico discloses local files resulting in Remote Code Execution through LaTeX injection
> [!NOTE]
> If server-side LaTeX rendering is not in use (ie `XELATEX_PATH` was not set in `indico.conf`), this vulnerability does not apply.

### Impact
Due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX snippets which can read local files or execute code with the privileges of the user running Indico on the server.

### Patches
It is recommended to update to [Indico 3.3.12](https://github.com/indico/indico/releases/tag/v3.3.12) as soon as possible.
See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.

It is also strongly recommended to enable the containerized LaTeX renderer (using `podman`), which isolates it from the rest of the system. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/#upgrading-to-3-3-12) for details - it is very easy and from now on the only recommended/supported way of using LaTeX.

### Workarounds
Remove the `XELATEX_PATH` setting from `indico.conf` (or comment it out or set it to `None`) and restart the `indico-uwsgi` and `indico-celery` services to disable LaTeX functionality.

### For more information
For any questions or comments about this advisory:

- Open a thread in [the forum](https://talk.getindico.io/)
- Send an email to [indico-team@cern.ch](mailto:indico-team@cern.ch)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33046
reference_id
reference_type
scores
0
value 0.00114
scoring_system epss
scoring_elements 0.29702
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33046
1
reference_url https://github.com/indico/indico
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/indico/indico
2
reference_url https://github.com/indico/indico/commit/0adb70f0ed66e129361d447868f5f3eb90dc5e96
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:42:10Z/
url https://github.com/indico/indico/commit/0adb70f0ed66e129361d447868f5f3eb90dc5e96
3
reference_url https://github.com/indico/indico/commit/1dbb12525b3de14229bf4d1ae192988068f975f6
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:42:10Z/
url https://github.com/indico/indico/commit/1dbb12525b3de14229bf4d1ae192988068f975f6
4
reference_url https://github.com/indico/indico/commit/5f24d23ce9c4b0e4b68b3d0b58987a948fc57c8a
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:42:10Z/
url https://github.com/indico/indico/commit/5f24d23ce9c4b0e4b68b3d0b58987a948fc57c8a
5
reference_url https://github.com/indico/indico/commit/fb169ced710c30cf792ce4b9f48688db0633cfd8
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:42:10Z/
url https://github.com/indico/indico/commit/fb169ced710c30cf792ce4b9f48688db0633cfd8
6
reference_url https://github.com/indico/indico/releases/tag/v3.3.12
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:42:10Z/
url https://github.com/indico/indico/releases/tag/v3.3.12
7
reference_url https://github.com/indico/indico/security/advisories/GHSA-rm2q-f7jv-3cfp
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T13:42:10Z/
url https://github.com/indico/indico/security/advisories/GHSA-rm2q-f7jv-3cfp
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33046
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33046
9
reference_url https://github.com/advisories/GHSA-rm2q-f7jv-3cfp
reference_id GHSA-rm2q-f7jv-3cfp
reference_type
scores
url https://github.com/advisories/GHSA-rm2q-f7jv-3cfp
fixed_packages
0
url pkg:pypi/indico@3.3.12
purl pkg:pypi/indico@3.3.12
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.12
aliases CVE-2026-33046, GHSA-rm2q-f7jv-3cfp
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-px34-3ut4-cyeu
6
url VCID-rdjk-wdan-aucm
vulnerability_id VCID-rdjk-wdan-aucm
summary 
Indico has a missing access check in the event series management API
The API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint.

The impact of this is limited to:

- Getting the metadata (title, category chain, start/end date) for events in an existing series
- Deleting an existing event series: This just removes the series metadata, ie (if enabled) the links between events in the same series and the lecture series number in the event title
- Modifying an existing event series: Just like for deleting, it would only allow to toggle the metadata display. It could also be used to set an event title pattern for the series, but this is only used when cloning an event from that series.

That this vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28352
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05868
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28352
1
reference_url https://github.com/indico/indico
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indico/indico
2
reference_url https://github.com/indico/indico/releases/tag/v3.3.11
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-03T20:29:12Z/
url https://github.com/indico/indico/releases/tag/v3.3.11
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28352
reference_id CVE-2026-28352
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28352
4
reference_url https://github.com/advisories/GHSA-rfpp-2hgm-gp5v
reference_id GHSA-rfpp-2hgm-gp5v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rfpp-2hgm-gp5v
5
reference_url https://github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5v
reference_id GHSA-rfpp-2hgm-gp5v
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-03T20:29:12Z/
url https://github.com/indico/indico/security/advisories/GHSA-rfpp-2hgm-gp5v
fixed_packages
0
url pkg:pypi/indico@3.3.11
purl pkg:pypi/indico@3.3.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-px34-3ut4-cyeu
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.11
aliases CVE-2026-28352, GHSA-rfpp-2hgm-gp5v
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rdjk-wdan-aucm
7
url VCID-yduc-fh4z-3ueu
vulnerability_id VCID-yduc-fh4z-3ueu
summary 
Indico vulnerable to Cross-Site Scripting via LaTeX math code
There is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59035
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.12392
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59035
1
reference_url https://github.com/indico/indico
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indico/indico
2
reference_url https://github.com/indico/indico/releases/tag/v3.3.8
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-11T14:26:59Z/
url https://github.com/indico/indico/releases/tag/v3.3.8
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59035
reference_id CVE-2025-59035
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59035
4
reference_url https://github.com/advisories/GHSA-7cf7-9wrr-vrf4
reference_id GHSA-7cf7-9wrr-vrf4
reference_type
scores
url https://github.com/advisories/GHSA-7cf7-9wrr-vrf4
5
reference_url https://github.com/indico/indico/security/advisories/GHSA-7cf7-9wrr-vrf4
reference_id GHSA-7cf7-9wrr-vrf4
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-11T14:26:59Z/
url https://github.com/indico/indico/security/advisories/GHSA-7cf7-9wrr-vrf4
fixed_packages
0
url pkg:pypi/indico@3.3.8
purl pkg:pypi/indico@3.3.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-nzny-2gtr-9yby
1
vulnerability VCID-px34-3ut4-cyeu
2
vulnerability VCID-rdjk-wdan-aucm
3
vulnerability VCID-z8zh-5u9q-d7hx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.8
aliases CVE-2025-59035, GHSA-7cf7-9wrr-vrf4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yduc-fh4z-3ueu
8
url VCID-z8zh-5u9q-d7hx
vulnerability_id VCID-z8zh-5u9q-d7hx
summary 
Indico Affected by Cross-Site-Scripting via material uploads
There is a Cross-Site-Scripting vulnerability when uploading certain file types as materials.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25739
reference_id
reference_type
scores
0
value 0.00059
scoring_system epss
scoring_elements 0.18874
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25739
1
reference_url https://github.com/indico/indico
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indico/indico
2
reference_url https://github.com/indico/indico/releases/tag/v3.3.10
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-19T19:48:55Z/
url https://github.com/indico/indico/releases/tag/v3.3.10
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25739
reference_id CVE-2026-25739
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25739
4
reference_url https://github.com/advisories/GHSA-jxc4-54g3-j7vp
reference_id GHSA-jxc4-54g3-j7vp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jxc4-54g3-j7vp
5
reference_url https://github.com/indico/indico/security/advisories/GHSA-jxc4-54g3-j7vp
reference_id GHSA-jxc4-54g3-j7vp
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-19T19:48:55Z/
url https://github.com/indico/indico/security/advisories/GHSA-jxc4-54g3-j7vp
fixed_packages
0
url pkg:pypi/indico@3.3.10
purl pkg:pypi/indico@3.3.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-px34-3ut4-cyeu
1
vulnerability VCID-rdjk-wdan-aucm
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.10
aliases CVE-2026-25739, GHSA-jxc4-54g3-j7vp
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z8zh-5u9q-d7hx
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/indico@3.3.2