CVE-2026-33046: Indico discloses local files resulting in Remote Code Execution through LaTeX injection
[!NOTE] If server-side LaTeX rendering is not in use (ie
XELATEX_PATHwas not set inindico.conf), this vulnerability does not apply.
References
- github.com/advisories/GHSA-rm2q-f7jv-3cfp
- github.com/indico/indico
- github.com/indico/indico/commit/0adb70f0ed66e129361d447868f5f3eb90dc5e96
- github.com/indico/indico/commit/1dbb12525b3de14229bf4d1ae192988068f975f6
- github.com/indico/indico/commit/5f24d23ce9c4b0e4b68b3d0b58987a948fc57c8a
- github.com/indico/indico/commit/fb169ced710c30cf792ce4b9f48688db0633cfd8
- github.com/indico/indico/releases/tag/v3.3.12
- github.com/indico/indico/security/advisories/GHSA-rm2q-f7jv-3cfp
- nvd.nist.gov/vuln/detail/CVE-2026-33046
Code Behaviors & Features
Detect and mitigate CVE-2026-33046 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →