Plattform
python
Komponente
indico
Behoben in
3.3.13
3.3.12
CVE-2026-33046 is a Remote Code Execution (RCE) vulnerability discovered in Indico, an event management system. This vulnerability allows attackers to execute arbitrary code on the server by crafting malicious LaTeX snippets, potentially leading to complete system compromise. The vulnerability affects versions of Indico up to 3.3.9, and a patch is available in version 3.3.12.
The vulnerability stems from weaknesses in TeXLive and insufficient sanitization of LaTeX syntax within Indico. An attacker can leverage specially crafted LaTeX code to bypass Indico's security measures and gain unauthorized access to the server. This could lead to data breaches, system compromise, and potential disruption of Indico services. The impact is particularly severe because the attacker can execute code with the privileges of the user running the Indico process, potentially escalating privileges to gain full control of the system. This is similar to other LaTeX-based vulnerabilities where malicious code injection can lead to arbitrary command execution.
CVE-2026-33046 was publicly disclosed on March 23, 2026. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the potential for exploitation exists given the RCE nature of the vulnerability. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Organizations using Indico for event management, particularly those relying on server-side LaTeX rendering for document generation or display, are at risk. This includes academic institutions, research organizations, and conference organizers who may be running Indico on shared hosting environments or legacy infrastructure.
• linux / server:
journalctl -u indico | grep -i "latex"• python:
import os
with open('/opt/indico/indico.conf', 'r') as f:
if 'XELATEX_PATH' in f.read():
print('XELATEX_PATH is set - vulnerability may be present')• generic web:
curl -I http://your-indico-server/some/latex/endpoint• generic web: Inspect Indico access logs for requests containing unusual or obfuscated LaTeX code.
disclosure
Exploit-Status
EPSS
0.08% (25% Perzentil)
CISA SSVC
The primary mitigation is to upgrade to Indico version 3.3.12 or later, which includes the necessary fixes. If upgrading immediately is not possible, disable server-side LaTeX rendering by ensuring the XELATEX_PATH variable is not set in indico.conf. This will prevent the vulnerable LaTeX processing from occurring. Consider implementing a Web Application Firewall (WAF) with rules to filter potentially malicious LaTeX code. Monitor Indico logs for unusual LaTeX processing activity. After upgrading, confirm the fix by attempting to render a known malicious LaTeX snippet and verifying that it is properly sanitized and does not execute arbitrary code.
Actualice Indico a la versión 3.3.12 o posterior. Como alternativa, deshabilite la funcionalidad LaTeX eliminando la configuración `XELATEX_PATH` de `indico.conf` y reinicie los servicios `indico-uwsgi` y `indico-celery`. Se recomienda habilitar el renderizador LaTeX en contenedores (usando `podman`) para aislarlo del resto del sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33046 is a Remote Code Execution vulnerability in Indico versions up to 3.3.9, allowing attackers to execute code via malicious LaTeX snippets.
You are affected if you are running Indico versions 3.3.9 or earlier and have server-side LaTeX rendering enabled (XELATEX_PATH is set).
Upgrade to Indico version 3.3.12 or later. Alternatively, disable server-side LaTeX rendering by removing the XELATEX_PATH setting from indico.conf.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Refer to the Indico GitHub release notes for version 3.3.12: https://github.com/indico/indico/releases/tag/v3.3.12
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.