Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Published: 2026-02-25
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary JavaScript execution via stored XSS in Rucio WebUI custom rule function
Action: Immediate Patch
AI Analysis

Impact

Rucio, a framework for managing scientific data, contains a stored Cross‑Site Scripting flaw in the Custom Rules section of its WebUI. Attacker‑controlled input is saved in the backend and later rendered in the interface without proper escaping. This fault allows attackers to run arbitrary JavaScript in the browser context of any user who views the affected page, potentially enabling session cookie theft or other unauthorized actions within the Rucio system. The vulnerability corresponds to CWE‑79 (Cross‑Site Scripting) and CWE‑1004 (Insecure Data Sequence) and carries a CVSS score of 7.3.

Affected Systems

All Rucio releases prior to 35.8.3, 38.5.4, and 39.3.1 are vulnerable. Users running any of these versions on the WebUI are at risk; installing 35.8.3, 38.5.4, or 39.3.1 (or later) resolves the issue.

Risk and Exploitability

The vulnerability is rated high with a 7.3 CVSS score, yet the EPSS score remains below 1% and the issue is not listed in the KEV catalog, indicating a low likelihood of widespread exploitation. The attack requires the ability to create a custom rule in the WebUI, which typically demands privileged access to the Rucio interface. Attackers could target the administrator or any user with that privilege to inject malicious content that will be rendered for other users who view the rule. While exploitation is possible, the low EPSS suggests that, in the current threat landscape, the risk is moderate but should not be ignored.

Generated by OpenCVE AI on April 17, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rucio to version 35.8.3, 38.5.4, 39.3.1, or any later release that contains the fix.
  • If an upgrade is not immediately feasible, limit or disable the Custom Rules feature for users who do not require it.
  • Implement input sanitation and output encoding in the WebUI to prevent unescaped user input from being rendered.
  • Deploy a Content Security Policy that restricts executable scripts to those from trusted sources to mitigate accidental execution of injected code.

Generated by OpenCVE AI on April 17, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rwj9-7j48-9f7q Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function
History

Fri, 27 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Cern
Cern rucio
CPEs cpe:2.3:a:cern:rucio:*:*:*:*:*:*:*:*
Vendors & Products Cern
Cern rucio

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Rucio
Rucio rucio
Vendors & Products Rucio
Rucio rucio

Wed, 25 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Title Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function
Weaknesses CWE-1004
CWE-79
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Cern Rucio
Rucio Rucio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:02:31.146Z

Reserved: 2026-02-05T16:48:00.427Z

Link: CVE-2026-25733

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T20:23:47.717

Modified: 2026-02-27T19:23:40.350

Link: CVE-2026-25733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses