CVE-2026-25738: Indico has Server-Side Request Forgery (SSRF) in multiple places

February 17, 2026 (updated February 19, 2026)

Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico’s functionality, but of course it is never intended to let you access “special” targets such as localhost or cloud metadata endpoints.

References

github.com/advisories/GHSA-f47c-3c5w-v7p4
github.com/indico/indico
github.com/indico/indico/commit/70d341826116fac5868719a6133f2c26d9345137
github.com/indico/indico/releases/tag/v3.3.10
github.com/indico/indico/security/advisories/GHSA-f47c-3c5w-v7p4
nvd.nist.gov/vuln/detail/CVE-2026-25738

Code Behaviors & Features

Detect and mitigate CVE-2026-25738 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →