SCA: security update for indico (GHSA-jxc4-54g3-j7vp)

medium Tenable Self-Hosted Container Security Plugin ID 437771

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for
Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types
as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fix itself updating
is sufficient, but to benefit from the strict Content Security Policy (CSP) Indico now applies by default
for file downloads, update the webserver config in case one uses nginx with Indico's `STATIC_FILE_METHOD`
set to `xaccelredirect`. For further directions, consult the GitHub Security advisory or Indico setup
documentation. Some workarounds are available. Use the webserver config to apply a strict CSP for material
download endpoints, and/or only let trustworthy users create content (including material uploads, which
speakers can typically do as well) on Indico. (CVE-2026-25739)

See Also

https://github.com/advisories/GHSA-jxc4-54g3-j7vp

Plugin Details

Severity: Medium

ID: 437771

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 2/18/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.42

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2026-25739

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/17/2026

Vulnerability Publication Date: 2/17/2026

Reference Information

CVE: CVE-2026-25739

cwe: CWE-79