CVE-2026-25739
Indico Affected by Cross-Site-Scripting via material uploads
Description
### Impact There is a Cross-Site-Scripting vulnerability when uploading certain file types as materials. ### Patches You should to update to [Indico 3.3.10](https://github.com/indico/indico/releases/tag/v3.3.10) as soon as possible. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update. Please be aware that to apply the fix itself updating is sufficient, but to benefit from the strict Content-Security-Policy we now apply by default for file downloads, you need to update your webserver config in case you use nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect` and add the following line to the `.xsf/indico/` location block (you can consult the Indico setup documentation for the full configuration snippet): ```nginx add_header Content-Security-Policy $upstream_http_content_security_policy; ``` ### Workarounds - Use your webserver config to apply a strict CSP for material download endpoints. - Only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico. ### For more information If you have any questions or comments about this advisory: - Open a thread in [our forum](https://talk.getindico.io/) - Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)
How to fix CVE-2026-25739
To remediate CVE-2026-25739, upgrade the affected package to a fixed version below.
- —upgrade to 3.3.10 or later
Is CVE-2026-25739 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.3.10