Skip to main content

TeXLive CVE-2026-33046

HIGH
Path Traversal (CWE-22)
2026-03-23 https://github.com/indico/indico
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 23, 2026 - 20:45 vuln.today
Patch released
Mar 23, 2026 - 20:45 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:43 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 28 pypi packages depend on indico (28 direct, 1 indirect)

Ecosystem-wide dependent count for version 3.3.12.

DescriptionGitHub Advisory

> [!NOTE] > If server-side LaTeX rendering is not in use (ie XELATEX_PATH was not set in indico.conf), this vulnerability does not apply.

Impact

Due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX snippets which can read local files or execute code with the privileges of the user running Indico on the server.

Patches

It is recommended to update to Indico 3.3.12 as soon as possible. See the docs for instructions on how to update.

It is also strongly recommended to enable the containerized LaTeX renderer (using podman), which isolates it from the rest of the system. See the docs for details - it is very easy and from now on the only recommended/supported way of using LaTeX.

Workarounds

Remove the XELATEX_PATH setting from indico.conf (or comment it out or set it to None) and restart the indico-uwsgi and indico-celery services to disable LaTeX functionality.

For more information

For any questions or comments about this advisory:

  • Open a thread in the forum
  • Send an email to [indico-team@cern.ch](mailto:indico-team@cern.ch)

AnalysisAI

A LaTeX injection vulnerability in Indico (event management platform) allows authenticated attackers to read local files or execute arbitrary code on the server when server-side LaTeX rendering is enabled via XELATEX_PATH configuration. The vulnerability stems from TeXLive weaknesses and insufficient sanitization of LaTeX input, permitting specially-crafted snippets to bypass security controls. Patches are available in version 3.3.12, and there is no evidence of active exploitation (not in CISA KEV), though multiple proof-of-concept patches indicate the vulnerability has been thoroughly analyzed.

Technical ContextAI

Indico is a Python-based event management system (pkg:pip/indico) that optionally renders LaTeX documents server-side using XeLaTeX from the TeXLive distribution. The vulnerability is classified as CWE-22 (Path Traversal), though it extends beyond simple directory traversal to include command injection capabilities. The root cause involves obscure LaTeX syntax features that bypass Indico's input sanitization combined with inherent TeXLive vulnerabilities allowing file system access and command execution through LaTeX primitives like \input, \include, or shell-escape features. The attack surface only exists when XELATEX_PATH is explicitly configured in indico.conf, making server-side LaTeX rendering active.

RemediationAI

Upgrade to Indico version 3.3.12 or later following the official upgrade documentation at https://docs.getindico.io/en/stable/installation/upgrade/. It is strongly recommended to implement the containerized LaTeX renderer using Podman, which provides isolation from the host system and is now the only supported configuration (see https://docs.getindico.io/en/stable/installation/upgrade/#upgrading-to-3-3-12). As an immediate workaround if upgrading is not possible, disable LaTeX functionality by removing or commenting out the XELATEX_PATH setting in indico.conf (or setting it to None), then restart both indico-uwsgi and indico-celery services. The patches are tracked in commits 0adb70f0ed66e129361d447868f5f3eb90dc5e96, 1dbb12525b3de14229bf4d1ae192988068f975f6, 5f24d23ce9c4b0e4b68b3d0b58987a948fc57c8a, and fb169ced710c30cf792ce4b9f48688db0633cfd8.

Share

CVE-2026-33046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy