Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Indico: Malicious Files Can Be Uploaded via Material Uploads
CVE-2026-25739
GHSA-jxc4-54g3-j7vp
Summary
A security issue allows hackers to upload malicious files to Indico, potentially harming users. Updates are available to fix the problem. To ensure security, update Indico to the latest version and review your web server configuration to prevent unauthorized file downloads.
What to do
- Update indico to version 3.3.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | indico | <= 3.3.10 | 3.3.10 |
| cern | indico | <= 3.3.10 | – |
Original title
Indico Affected by Cross-Site-Scripting via material uploads
Original description
### Impact
There is a Cross-Site-Scripting vulnerability when uploading certain file types as materials.
### Patches
You should to update to [Indico 3.3.10](https://github.com/indico/indico/releases/tag/v3.3.10) as soon as possible.
See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.
Please be aware that to apply the fix itself updating is sufficient, but to benefit from the strict Content-Security-Policy we now apply by default for file downloads, you need to update your webserver config in case you use nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect` and add the following line to the `.xsf/indico/` location block (you can consult the Indico setup documentation for the full configuration snippet):
```nginx
add_header Content-Security-Policy $upstream_http_content_security_policy;
```
### Workarounds
- Use your webserver config to apply a strict CSP for material download endpoints.
- Only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.
### For more information
If you have any questions or comments about this advisory:
- Open a thread in [our forum](https://talk.getindico.io/)
- Email us privately at [[email protected]](mailto:[email protected])
There is a Cross-Site-Scripting vulnerability when uploading certain file types as materials.
### Patches
You should to update to [Indico 3.3.10](https://github.com/indico/indico/releases/tag/v3.3.10) as soon as possible.
See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.
Please be aware that to apply the fix itself updating is sufficient, but to benefit from the strict Content-Security-Policy we now apply by default for file downloads, you need to update your webserver config in case you use nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect` and add the following line to the `.xsf/indico/` location block (you can consult the Indico setup documentation for the full configuration snippet):
```nginx
add_header Content-Security-Policy $upstream_http_content_security_policy;
```
### Workarounds
- Use your webserver config to apply a strict CSP for material download endpoints.
- Only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.
### For more information
If you have any questions or comments about this advisory:
- Open a thread in [our forum](https://talk.getindico.io/)
- Email us privately at [[email protected]](mailto:[email protected])
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026