CVE-2026-25739
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Indico event management system versions prior to 3.3.10. Attackers can inject malicious scripts by uploading certain file types as materials, potentially compromising user sessions and data. The vulnerability affects all Indico instances using vulnerable versions, particularly those allowing material uploads by speakers or other users.
💻 Affected Systems
- Indico
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or compromise administrator accounts leading to full system takeover.
Likely Case
Session hijacking of regular users, credential theft, or defacement of event materials through injected content.
If Mitigated
Limited impact with proper CSP headers and user upload restrictions, potentially only affecting users who download malicious materials.
🎯 Exploit Status
Exploitation requires ability to upload materials, which typically requires some level of authentication (speaker or user permissions).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.10
Vendor Advisory: https://github.com/indico/indico/security/advisories/GHSA-jxc4-54g3-j7vp
Restart Required: Yes
Instructions:
1. Upgrade Indico to version 3.3.10 or later. 2. For nginx users with STATIC_FILE_METHOD set to xaccelredirect, update webserver config to apply strict CSP headers. 3. Restart Indico service and webserver.
🔧 Temporary Workarounds
Apply strict CSP headers via webserver
allConfigure webserver to apply strict Content Security Policy headers for material download endpoints
# Example nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
Restrict upload permissions
allOnly allow trustworthy users to create content and upload materials
# Configure Indico permissions to restrict material uploads to trusted administrators only
🧯 If You Can't Patch
- Implement strict Content Security Policy headers for all material download endpoints
- Restrict material upload permissions to trusted administrators only
🔍 How to Verify
Check if Vulnerable:
Check Indico version: if version < 3.3.10, system is vulnerableCheck Version:
indico --versionVerify Fix Applied:
Verify version is 3.3.10 or later and check that CSP headers are present in material download responses📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns
- Multiple failed upload attempts
- Requests to material endpoints with suspicious parameters
Network Indicators:
- HTTP responses from material endpoints containing script tags or unusual content
- Requests for material files with unusual extensions
SIEM Query:
source="indico" AND (event="file_upload" OR uri="/material/") AND (file_extension IN ("html", "htm", "svg") OR content_type="text/html")