Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Published: 2026-02-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

A stored Cross‑Site Scripting vulnerability exists in the WebUI of Rucio when an attacker supplies malicious content in the Identity Name field. The backend saves this data without proper output encoding, and the WebUI later displays it as plain text. If an impacted user views the affected page, the injected script executes in that user’s browser, allowing the attacker to steal session cookies or perform actions on the user’s behalf.

Affected Systems

The flaw affects the Rucio framework. Versions older than 35.8.3, 38.5.4, or 39.3.1 are vulnerable. Systems running any of those release lines, especially the default distribution from CERN, are at risk.

Risk and Exploitability

The CVSS score of 6.1 rates this vulnerability as medium severity. The EPSS figure indicates a very low but non‑zero probability of exploitation, and it is not listed in the CISA KEV catalog. Attackers would likely exploit the WebUI by inserting malicious code through the identity name input, then target users who subsequently view the affected pages. Successful exploitation leads to client‑side script execution, potentially compromising user sessions and allowing unauthorized actions.

Generated by OpenCVE AI on April 17, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rucio to version 35.8.3, 38.5.4, 39.3.1 or any newer release that incorporates the output‑encoding fix.
  • If an immediate upgrade is not possible, disable the Identity Name field in the WebUI or enforce strict character validation to prevent rendering of user‑supplied content.
  • Introduce generic output encoding or sanitization for all user‑controlled fields in the UI, ensuring that any dynamic content is properly escaped before display.

Generated by OpenCVE AI on April 17, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8wpv-6x3f-3rm5 Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name
History

Fri, 27 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Cern
Cern rucio
CPEs cpe:2.3:a:cern:rucio:*:*:*:*:*:*:*:*
Vendors & Products Cern
Cern rucio

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Rucio
Rucio rucio
Vendors & Products Rucio
Rucio rucio

Wed, 25 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Title Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name
Weaknesses CWE-1004
CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Cern Rucio
Rucio Rucio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:00:36.501Z

Reserved: 2026-02-05T16:48:00.427Z

Link: CVE-2026-25735

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T20:23:48.070

Modified: 2026-02-27T19:24:03.393

Link: CVE-2026-25735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses