CVE-2026-33046 | Indico up to 3.3.11 LaTeX indico.conf os command injection (GHSA-rm2q-f7jv-3cfp)

VDB-352656 · CVE-2026-33046 · GHSA-RM2Q-F7JV-3CFP INDICO UP TO 3.3.11 LATEX INDICO.CONF OS COMMAND INJECTION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.0 $0-$5k 2.70+ Summaryinfo A vulnerability labeled as critical has been found in Indico up to 3.3.11. The impacted element is an unknown function of the file indico.conf of the component LaTeX Handler. The manipulation results in os command injection. This vulnerability is identified as CVE-2026-33046. The attack can be executed remotely. There is not any exploit available. The affected component should be upgraded. Detailsinfo A vulnerability classified as critical has been found in Indico up to 3.3.11. Affected is an unknown part of the file indico.conf of the component LaTeX Handler. The manipulation with an unknown input leads to a os command injection vulnerability. CWE is classifying the issue as CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes: Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX snippets which can read local files or execute code with the privileges of the user running Indico on the server. Note that if server-side LaTeX rendering is not in use (ie `XELATEX_PATH` was not set in `indico.conf`), this vulnerability does not apply. It is recommended to update to Indico 3.3.12 as soon as possible. It is also strongly recommended to enable the containerized LaTeX renderer (using `podman`), which isolates it from the rest of the system. As a workaround, remove the `XELATEX_PATH` setting from `indico.conf` (or comment it out or set it to `None`) and restart the `indico-uwsgi` and `indico-celery` services to disable LaTeX functionality. The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-33046 since 03/17/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1202. Upgrading to version 3.3.12 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 0adb70f0ed66e129361d447868f5f3eb90dc5e96 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. Productinfo Name Indico Version 3.3.0 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.3.10 3.3.11 License open-source Website Product: https://github.com/indico/indico/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 6.3 VulDB Meta Temp Score: 6.0 VulDB Base Score: 6.3 VulDB Temp Score: 6.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Os command injection CWE: CWE-78 / CWE-77 / CWE-74 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: Indico 3.3.12 Patch: 0adb70f0ed66e129361d447868f5f3eb90dc5e96 Timelineinfo 03/17/2026 CVE reserved 03/24/2026 +7 days Advisory disclosed 03/24/2026 +0 days VulDB entry created 03/24/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-rm2q-f7jv-3cfp Status: Confirmed CVE: CVE-2026-33046 (🔒) GCVE (CVE): GCVE-0-2026-33046 GCVE (VulDB): GCVE-100-352656 Entryinfo Created: 03/24/2026 02:59 Changes: 03/24/2026 02:59 (71) Complete: 🔍 Cache ID: 99:3C5:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸