CVE-2025-71240 - SPIP < 4.2.15 Cross-Site Scripting via Code Tags
CVE ID : CVE-2025-71240
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71240
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71241 - SPIP < 4.3.6 Cross-Site Scripting in Private Area
CVE ID : CVE-2025-71241
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71241
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71242 - SPIP < 4.3.6 Authorization Bypass Leading to Content Disclosure
CVE ID : CVE-2025-71242
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71242
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71243 - SPIP Saisies Plugin < 5.11.1 Remote Code Execution
CVE ID : CVE-2025-71243
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71243
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : The 'Saisies pour formulaire' (Saisies) plugin for SPIP versions 5.4.0 through 5.11.0 contains a critical Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability to execute arbitrary code on the server. Users should immediately update to version 5.11.1 or later.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71244 - SPIP < 4.4.5 Open Redirect via Login Form
CVE ID : CVE-2025-71244
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71244
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71245 - SPIP < 4.4.8 Cross-Site Scripting via Iframe Tags in Private Area
CVE ID : CVE-2025-71245
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71245
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71246 - SPIP < 4.4.8 Cross-Site Scripting in Public Area
CVE ID : CVE-2025-71246
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The echapper_html_suspect() function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that execute in a visitor's browser. This vulnerability is not mitigated by the SPIP security screen.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71246
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The echapper_html_suspect() function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that execute in a visitor's browser. This vulnerability is not mitigated by the SPIP security screen.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71247 - SPIP < 4.4.9 Blind Server-Side Request Forgery via Syndicated Sites
CVE ID : CVE-2025-71247
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrary internal or external destinations. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71247
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) via syndicated sites in the private area. When editing a syndicated site, the application does not verify that the syndication URL is a valid remote URL, allowing an authenticated attacker to make the server issue requests to arbitrary internal or external destinations. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71248 - SPIP < 4.4.9 Stored Cross-Site Scripting via Syndicated Sites
CVE ID : CVE-2025-71248
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71248
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicated sites in the private area. The #URL_SYNDIC output is not properly sanitized on the private syndicated site page, allowing an attacker who can set a malicious syndication URL to inject persistent scripts that execute when other administrators view the syndicated site details.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71249 - SPIP < 4.4.9 Cross-Site Scripting in Private Area (Incomplete Fix)
CVE ID : CVE-2025-71249
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71249
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss() function was not systematically applied to input, form, button, and anchor (a) HTML tags, allowing an attacker to inject malicious scripts through these elements. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-71250 - SPIP < 4.4.9 Insecure Deserialization
CVE ID : CVE-2025-71250
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-71250
Published : Feb. 19, 2026, 2:58 p.m. | 1 hour, 31 minutes ago
Description : SPIP before 4.4.9 allows Insecure Deserialization in the public area through the table_valeur filter and the DATA iterator, which accept serialized data. An attacker who can place malicious serialized content (a pre-condition requiring prior access or another vulnerability) can trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. This vulnerability is not mitigated by the SPIP security screen.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55853 - SoftVision webPDF SSRF Vulnerability
CVE ID : CVE-2025-55853
Published : Feb. 19, 2026, 3:16 p.m. | 1 hour, 13 minutes ago
Description : SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTML file in the application, which when rendered to a PDF allows for internal port scanning and Local File Inclusion (LFI).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55853
Published : Feb. 19, 2026, 3:16 p.m. | 1 hour, 13 minutes ago
Description : SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTML file in the application, which when rendered to a PDF allows for internal port scanning and Local File Inclusion (LFI).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25527 - changedetection.io vulnerable to unauthenticated static path traversal
CVE ID : CVE-2026-25527
Published : Feb. 19, 2026, 3:16 p.m. | 1 hour, 13 minutes ago
Description : changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static//` route accepts `group=".."`, which causes `send_from_directory("static/..", filename)` to execute. This moves the base directory up to `/app/changedetectionio`, enabling unauthenticated local file read of application source files (e.g., `flask_app.py`). Version 0.53.2 fixes the issue.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25527
Published : Feb. 19, 2026, 3:16 p.m. | 1 hour, 13 minutes ago
Description : changedetection.io is a free open source web page change detection tool. In versions prior to 0.53.2, the `/static//` route accepts `group=".."`, which causes `send_from_directory("static/..", filename)` to execute. This moves the base directory up to `/app/changedetectionio`, enabling unauthenticated local file read of application source files (e.g., `flask_app.py`). Version 0.53.2 fixes the issue.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25535 - jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions
CVE ID : CVE-2026-25535
Published : Feb. 19, 2026, 3:16 p.m. | 1 hour, 13 minutes ago
Description : jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25535
Published : Feb. 19, 2026, 3:16 p.m. | 1 hour, 13 minutes ago
Description : jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25755 - jsPDF has PDF Object Injection via Unsanitized Input in addJS Method
CVE ID : CVE-2026-25755
Published : Feb. 19, 2026, 3:16 p.m. | 1 hour, 13 minutes ago
Description : jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25755
Published : Feb. 19, 2026, 3:16 p.m. | 1 hour, 13 minutes ago
Description : jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2274 - Arbitrary File Read and SSRF in Google AppSheet
CVE ID : CVE-2026-2274
Published : Feb. 19, 2026, 3:21 p.m. | 1 hour, 7 minutes ago
Description : A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and no customer action is needed.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2274
Published : Feb. 19, 2026, 3:21 p.m. | 1 hour, 7 minutes ago
Description : A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and no customer action is needed.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-26345 - SPIP < 4.4.8 Cross-Site Scripting in Public Area
CVE ID : CVE-2026-26345
Published : Feb. 19, 2026, 3:25 p.m. | 1 hour, 4 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The echapper_html_suspect() function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that execute in a visitor's browser. This vulnerability is not mitigated by the SPIP security screen.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26345
Published : Feb. 19, 2026, 3:25 p.m. | 1 hour, 4 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the public area for certain edge-case usage patterns. The echapper_html_suspect() function does not adequately detect all forms of malicious content, permitting an attacker to inject scripts that execute in a visitor's browser. This vulnerability is not mitigated by the SPIP security screen.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-26223 - SPIP < 4.4.8 Cross-Site Scripting via Iframe Tags in Private Area
CVE ID : CVE-2026-26223
Published : Feb. 19, 2026, 3:26 p.m. | 1 hour, 3 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26223
Published : Feb. 19, 2026, 3:26 p.m. | 1 hour, 3 minutes ago
Description : SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25940 - jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)
CVE ID : CVE-2026-25940
Published : Feb. 19, 2026, 3:26 p.m. | 1 hour, 2 minutes ago
Description : jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25940
Published : Feb. 19, 2026, 3:26 p.m. | 1 hour, 2 minutes ago
Description : jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25738 - Indico has Server-Side Request Forgery (SSRF) in multiple places
CVE ID : CVE-2026-25738
Published : Feb. 19, 2026, 3:30 p.m. | 58 minutes ago
Description : Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality but is never intended to let users access "special" targets such as localhost or cloud metadata endpoints. Users should upgrade to version 3.3.10 to receive a patch. Those who do not have IPs that expose sensitive data without authentication (typically because they do not host Indico on AWS) are not affected. Only event organizers can access endpoints where SSRF could be used to actually see the data returned by such a request. For those who trust their event organizers, the risk is also very limited. For additional security, both before and after patching, one may also use the common proxy-related environment variables (in particular `http_proxy` and `https_proxy`) to force outgoing requests to go through a proxy that limits requests in whatever way you deem useful/necessary. These environment variables would need to be set both on the indico-uwsgi and indico-celery services.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25738
Published : Feb. 19, 2026, 3:30 p.m. | 58 minutes ago
Description : Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality but is never intended to let users access "special" targets such as localhost or cloud metadata endpoints. Users should upgrade to version 3.3.10 to receive a patch. Those who do not have IPs that expose sensitive data without authentication (typically because they do not host Indico on AWS) are not affected. Only event organizers can access endpoints where SSRF could be used to actually see the data returned by such a request. For those who trust their event organizers, the risk is also very limited. For additional security, both before and after patching, one may also use the common proxy-related environment variables (in particular `http_proxy` and `https_proxy`) to force outgoing requests to go through a proxy that limits requests in whatever way you deem useful/necessary. These environment variables would need to be set both on the indico-uwsgi and indico-celery services.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25739 - Indico affected by Cross-Site-Scripting via material uploads
CVE ID : CVE-2026-25739
Published : Feb. 19, 2026, 3:39 p.m. | 49 minutes ago
Description : Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material download endpoints, and/or only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-25739
Published : Feb. 19, 2026, 3:39 p.m. | 49 minutes ago
Description : Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD` set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material download endpoints, and/or only let trustworthy users create content (including material uploads, which speakers can typically do as well) on Indico.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...