CVE-2026-33046 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 24, 2026
Indico - Command Injection
Published: March 23, 2026Updated: March 24, 2026Remote Exploitable
Overview
Indico < 3.3.12 contains a command injection caused by circumventing LaTeX sanitizer using specially-crafted LaTeX snippets in server-side LaTeX rendering, letting attackers read local files or execute code with user privileges, exploit requires server-side LaTeX rendering enabled.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Attackers can execute code or read local files with the privileges of the Indico server user, potentially compromising the system.
Mitigation
Update to Indico 3.3.12 or later; disable server-side LaTeX rendering or enable containerized LaTeX renderer for isolation.
References
- https://github.com/indico/indico/security/advisories/GHSA-rm2q-f7jv-3cfp
- https://github.com/indico/indico/commit/0adb70f0ed66e129361d447868f5f3eb90dc5e96
- https://github.com/indico/indico/commit/1dbb12525b3de14229bf4d1ae192988068f975f6
- https://github.com/indico/indico/commit/5f24d23ce9c4b0e4b68b3d0b58987a948fc57c8a
- https://github.com/indico/indico/commit/fb169ced710c30cf792ce4b9f48688db0633cfd8
- https://github.com/indico/indico/releases/tag/v3.3.12
Related Resources
Details
- CVE ID
- CVE-2026-33046
- Severity
- High
- CVSS Score
- 8.8
- Type
- command_injection
- Status
- confirmed
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H