CVE-2026-25739 MEDIUM

CVE-2026-25739: Indico affected by Cross-Site-Scripting via material uploads

Vendor Indico
Product indico
Weakness CWE-79 · XSS
Published February 19, 2026
Last update February 19, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material download endpoints, and/or only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.

Key dates

02Disclosure timeline

February 19, 2026 CVE published
February 19, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-53325 WordPress Beauty Contact Popup Form plugin <= 6.0 - Cross Site Scripting (XSS) Vulnerability CVE-2025-32613 WordPress Debug Log Manager plugin <= 2.3.4 - Cross Site Scripting (XSS) vulnerability CVE-2025-69386 WordPress RVCFDI para Woocommerce plugin <= 8.1.8 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-2617 yangyouwang 杨有旺 crud 简约后台管理系统 Department Page cross site scripting CVE-2026-33933 Reflected XSS via Unescaped contextName Parameter in Custom Template Editor