Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Published: 2026-02-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting that allows arbitrary JavaScript execution in the WebUI, potentially leading to session hijacking or unauthorized actions.
Action: Patch immediately
AI Analysis

Impact

Versions of Rucio before 35.8.3, 38.5.4, and 39.3.1 contain a stored cross‑site scripting flaw in the handling of RSE metadata within the WebUI. The flaw allows attacker‑controlled input to be persisted by the backend and subsequently rendered without proper output encoding, enabling the execution of arbitrary JavaScript in the context of users who view the affected pages. This could be used to steal session tokens or perform unauthorized actions on behalf of the user.

Affected Systems

The vulnerability affects any installation of Rucio through its primary WebUI, specifically versions earlier than 35.8.3, 38.5.4, and 39.3.1. Users running those legacy releases are at risk if they allow arbitrary RSE metadata to be stored and displayed.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% signals a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, meaning no exploits are currently known. An attacker would need to inject malicious payloads into RSE metadata and then persuade or force a legitimate user to view the modified page, after which the injected JavaScript would execute in the victim’s browser session.

Generated by OpenCVE AI on April 17, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rucio to at least version 35.8.3, 38.5.4, or 39.3.1, which contain the fix for the stored cross‑site scripting issue.
  • If an immediate upgrade is not possible, ensure that any existing RSE metadata entries are reviewed and sanitized so that no script tags or executable code remain stored.
  • Implement output encoding for the RSE metadata fields in the WebUI as a temporary defensive measure, and consider deploying a Web Application Firewall rule to block requests containing suspicious script payloads.

Generated by OpenCVE AI on April 17, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h9fp-p2p9-873q Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata
History

Sat, 28 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Cern
Cern rucio
CPEs cpe:2.3:a:cern:rucio:*:*:*:*:*:*:*:*
Vendors & Products Cern
Cern rucio

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Rucio
Rucio rucio
Vendors & Products Rucio
Rucio rucio

Wed, 25 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Title Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata
Weaknesses CWE-1004
CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Cern Rucio
Rucio Rucio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:01:36.671Z

Reserved: 2026-02-05T16:48:00.427Z

Link: CVE-2026-25734

cve-icon Vulnrichment

Updated: 2026-02-26T16:01:24.596Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T20:23:47.897

Modified: 2026-02-27T19:23:54.070

Link: CVE-2026-25734

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses