Platform
python
Component
indico
Fixed in
3.3.13
3.3.12
CVE-2026-33046 is a Remote Code Execution (RCE) vulnerability discovered in Indico, an event management system. This vulnerability allows attackers to execute arbitrary code on the server by crafting malicious LaTeX snippets, potentially leading to complete system compromise. The vulnerability affects versions of Indico up to 3.3.9, and a patch is available in version 3.3.12.
The impact of CVE-2026-33046 is significant due to its potential for remote code execution. An attacker could leverage this vulnerability to gain unauthorized access to sensitive data stored on the server, including user credentials, event details, and configuration files. Furthermore, they could potentially escalate privileges to gain control of the entire system, enabling them to install malware, modify data, or disrupt services. The vulnerability stems from insufficient sanitization of LaTeX code, allowing attackers to bypass security measures and inject malicious commands. This is similar to other vulnerabilities where improper handling of user-supplied data in rendering engines can lead to code execution.
CVE-2026-33046 was publicly disclosed on 2026-03-23. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the nature of the vulnerability suggests that they are likely to emerge.
Exploit Status
EPSS
0.08% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33046 is to upgrade Indico to version 3.3.12 or later. If upgrading immediately is not feasible, consider disabling server-side LaTeX rendering by ensuring the XELATEX_PATH variable is not set in indico.conf. This will prevent the vulnerability from being exploitable. Monitor Indico logs for any unusual LaTeX processing activity. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious LaTeX code patterns. After upgrading, confirm the fix by attempting to render a known malicious LaTeX snippet and verifying that it is properly sanitized and does not execute arbitrary code.
Actualice Indico a la versión 3.3.12 o posterior. Como alternativa, deshabilite la funcionalidad LaTeX eliminando la configuración `XELATEX_PATH` de `indico.conf` y reinicie los servicios `indico-uwsgi` y `indico-celery`. Se recomienda habilitar el renderizador LaTeX en contenedores (usando `podman`) para aislarlo del resto del sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33046 is a Remote Code Execution vulnerability in Indico versions up to 3.3.9, allowing attackers to execute code via malicious LaTeX snippets.
You are affected if you are running Indico versions 3.3.9 or earlier and have server-side LaTeX rendering enabled (XELATEX_PATH is set).
Upgrade to Indico version 3.3.12 or later. Alternatively, disable server-side LaTeX rendering by removing the XELATEX_PATH setting from indico.conf.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Refer to the Indico GitHub release notes for version 3.3.12: https://github.com/indico/indico/releases/tag/v3.3.12
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.