Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN183 _____________________________________________________________________ DATE : 18/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Indico versions prior to 3.3.10. ===================================================================== https://github.com/indico/indico/security/advisories/GHSA-f47c-3c5w-v7p4 https://github.com/indico/indico/security/advisories/GHSA-jxc4-54g3-j7vp _____________________________________________________________________ Server-Side Request Forgery (SSRF) in multiple places Moderate ThiefMaster published GHSA-f47c-3c5w-v7p4 Feb 17, 2026 Package indico (pip) Affected versions <3.3.10 Patched versions 3.3.10 Description Impact Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality, but of course it is never intended to let you access "special" targets such as localhost or cloud metadata endpoints. Patches You should to update to Indico 3.3.10 as soon as possible. See the docs for instructions on how to update. Workarounds If you do not have IPs that expose sensitive data without authentication (typically because you do not host Indico on AWS), this vulnerability doesn't impact you and you can ignore it (but please upgrade anyway). Also, only event organizers can access endpoints where SSRF could be used to actually see the data returned by such a request. So if you trust your event organizers, the risk is also very limited. For additional security, both before and after patching, you could also use the common proxy-related environment variables (in particular http_proxy and https_proxy) to force outgoing requests to go through a proxy that limits requests in whatever way you deem useful/necessary. These environment variables would need to be set both on the indico-uwsgi and indico-celery services. Please note that setting up such a proxy is not something we can help you with. For more information If you have any questions or comments about this advisory: Open a thread in our forum Email us privately at indico-team@cern.ch Severity Moderate CVE ID CVE-2026-25738 Weaknesses Weakness CWE-367 Weakness CWE-918 Credits @rahulgovind rahulgovind Reporter @inkz inkz Reporter @yueyueL yueyueL Reporter _____________________________________________________________________ Cross-Site-Scripting via material uploads Moderate ThiefMaster published GHSA-jxc4-54g3-j7vp Feb 17, 2026 Package indico (pip) Affected versions <3.3.10 Patched versions 3.3.10 Description Impact There is a Cross-Site-Scripting vulnerability when uploading certain file types as materials. Patches You should to update to Indico 3.3.10 as soon as possible. See the docs for instructions on how to update. Please be aware that to apply the fix itself updating is sufficient, but to benefit from the strict Content-Security-Policy we now apply by default for file downloads, you need to update your webserver config in case you use nginx with Indico's STATIC_FILE_METHOD set to xaccelredirect and add the following line to the .xsf/indico/ location block (you can consult the Indico setup documentation for the full configuration snippet): add_header Content-Security-Policy $upstream_http_content_security_policy; Workarounds Use your webserver config to apply a strict CSP for material download endpoints. Only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico. For more information If you have any questions or comments about this advisory: Open a thread in our forum Email us privately at indico-team@cern.ch Severity Moderate 5.4/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction Required Scope Changed Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE ID CVE-2026-25739 Weaknesses Weakness CWE-692 Credits @dreyercito dreyercito Finder ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================