DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33046: CVE-2026-33046: LaTeX Injection Leading to Local File Disclosure and Remote Code Execution in Indico

#security #cve #cybersecurity

CVE-2026-33046: LaTeX Injection Leading to Local File Disclosure and Remote Code Execution in Indico

Vulnerability ID: CVE-2026-33046
CVSS Score: 7.7
Published: 2026-03-23

CVE-2026-33046 identifies a critical vulnerability in the Indico event management system's PDF generation module. Insufficient sanitization of user-provided LaTeX input allows attackers to utilize TeXLive's caret notation to bypass security filters. This enables the execution of restricted LaTeX commands, resulting in Local File Disclosure (LFD) and conditional Remote Code Execution (RCE).

TL;DR

Indico versions prior to 3.3.12 are vulnerable to LaTeX injection via caret notation bypasses. This allows authenticated attackers to read arbitrary server files or execute system commands during PDF generation by circumventing the Python-based LaTeX sanitizer.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-74
  • Attack Vector: Network
  • CVSS v4.0 Score: 7.7
  • Impact: High (Confidentiality, Integrity, Availability)
  • Exploit Status: Proof-of-Concept
  • Primary Mitigation: Update to 3.3.12 and enable Podman

Affected Systems

  • Indico Event Management System (versions < 3.3.12)
  • TeXLive / XeLaTeX backend integration components
  • indico: < 3.3.12 (Fixed in: 3.3.12)

Code Analysis

Commit: 1dbb125

Fixed math-mode regex typo and added support for ^^5c.

Commit: fb169ce

Expanded regex to handle multiple carets and leading zeros.

Commit: 0adb70f

Introduced _resolve_latex_carets to recursively decode hex sequences.

Commit: 5f24d23

Hardened the caret parser to fully replicate the TeX engine's behavior.

Mitigation Strategies

  • Update Indico application to version 3.3.12 or later.
  • Enable Podman containerization for the xelatex compilation process.
  • Disable server-side LaTeX rendering entirely if immediate patching is unfeasible.
  • Implement Web Application Firewall (WAF) rules blocking consecutive caret hex sequences.

Remediation Steps:

  1. Download and install Indico version 3.3.12 via your package manager or source.
  2. Modify the configuration file (indico.conf) to set XELATEX_PATH = 'podman'.
  3. Ensure the Podman service is installed and accessible by the indico user.
  4. Restart the indico-uwsgi service to apply changes.
  5. Restart the indico-celery service to apply changes to background tasks.
  6. Verify the integrity of the indico.conf file to ensure credentials have not been accessed.

Read the full report for CVE-2026-33046 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)