CVE-2026-25739
Received Received - Intake

Cross-Site Scripting in Indico Materials Upload Pre

Vulnerability report for CVE-2026-25739, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-19

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material download endpoints, and/or only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-19
Last Modified
2026-02-26
Generated
2026-07-06
AI Q&A
2026-02-19
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cern indico to 3.3.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Indico, an event management system that uses Flask-Multipass for authentication. Versions prior to 3.3.10 are vulnerable to cross-site scripting (XSS) attacks when uploading certain file types as materials.

Cross-site scripting allows attackers to inject malicious scripts into web pages viewed by other users, potentially compromising their security.

The vulnerability can be mitigated by upgrading Indico to version 3.3.10, which includes a patch. Additional security can be achieved by applying a strict Content Security Policy (CSP) for file downloads, especially when using nginx with Indico's STATIC_FILE_METHOD set to xaccelredirect.

Impact Analysis

This cross-site scripting vulnerability can allow attackers to execute malicious scripts in the context of users who view the uploaded materials, potentially leading to theft of sensitive information, session hijacking, or other malicious actions.

Users who can upload materials, such as speakers or trusted content creators, could inadvertently or maliciously upload files that exploit this vulnerability.

Without applying the patch or additional security measures like a strict Content Security Policy, the system and its users remain at risk.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Indico to version 3.3.10 or later, which includes the patch for the cross-site scripting issue.

Additionally, if you use nginx with Indico's STATIC_FILE_METHOD set to xaccelredirect, update your webserver configuration to apply a strict Content Security Policy (CSP) for file download endpoints.

As a workaround, you can restrict material uploads to only trustworthy users, such as speakers, to reduce the risk of malicious file uploads.

For further directions, consult the GitHub Security advisory or Indico setup documentation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25739. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart