CVE-2026-25739
Received Received - Intake
Cross-Site Scripting in Indico Materials Upload Pre

Publication date: 2026-02-19

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material download endpoints, and/or only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2026-02-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25739
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cern indico to 3.3.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Indico, an event management system that uses Flask-Multipass for authentication. Versions prior to 3.3.10 are vulnerable to cross-site scripting (XSS) attacks when uploading certain file types as materials.

Cross-site scripting allows attackers to inject malicious scripts into web pages viewed by other users, potentially compromising their security.

The vulnerability can be mitigated by upgrading Indico to version 3.3.10, which includes a patch. Additional security can be achieved by applying a strict Content Security Policy (CSP) for file downloads, especially when using nginx with Indico's STATIC_FILE_METHOD set to xaccelredirect.


How can this vulnerability impact me? :

This cross-site scripting vulnerability can allow attackers to execute malicious scripts in the context of users who view the uploaded materials, potentially leading to theft of sensitive information, session hijacking, or other malicious actions.

Users who can upload materials, such as speakers or trusted content creators, could inadvertently or maliciously upload files that exploit this vulnerability.

Without applying the patch or additional security measures like a strict Content Security Policy, the system and its users remain at risk.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Indico to version 3.3.10 or later, which includes the patch for the cross-site scripting issue.

Additionally, if you use nginx with Indico's STATIC_FILE_METHOD set to xaccelredirect, update your webserver configuration to apply a strict Content Security Policy (CSP) for file download endpoints.

As a workaround, you can restrict material uploads to only trustworthy users, such as speakers, to reduce the risk of malicious file uploads.

For further directions, consult the GitHub Security advisory or Indico setup documentation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart