CVE-2025-59035

Description

### Impact There is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. ### Patches You should to update to [Indico 3.3.8](https://github.com/indico/indico/releases/tag/v3.3.8) as soon as possible. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update. ### Workarounds Only let trustworthy users create content on Indico. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows. ### For more information If you have any questions or comments about this advisory: - Open a thread in [our forum](https://talk.getindico.io/) - Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)

How to fix CVE-2025-59035

To remediate CVE-2025-59035, upgrade the affected package to a fixed version below.

• —upgrade to 3.3.8 or later

Is CVE-2025-59035 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 3.3.8

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-59035
• PATCHgithub.com/indico/indico
• WEBgithub.com/indico/indico/releases/tag/v3.3.8
• WEBgithub.com/indico/indico/security/advisories/GHSA-7cf7-9wrr-vrf4