Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Published: 2026-02-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑site Scripting allowing arbitrary JavaScript execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in Rucio’s WebUI Custom RSE Attribute. Attackers can inject arbitrary JavaScript that is saved by the backend and later rendered without proper output encoding, enabling execution in the browser context of any user who views the affected page. This could lead to session token theft or other unauthorized actions.

Affected Systems

Affected systems are installations of the Rucio framework that use versions earlier than 35.8.3, 38.5.4, or 39.3.1. The flaw resides in the handling of custom RSE attributes; any deployment relying on those legacy releases is vulnerable until a patched version is applied.

Risk and Exploitability

The CVSS score is 6.1, indicating moderate severity, while the EPSS score of less than 1% suggests the likelihood of exploitation is low, and the issue is not currently listed in CISA’s KEV catalog. The attack vector is via the WebUI, requiring the attacker to supply malicious input to the RSE attribute, which is then persisted and rendered for other users. Once the script runs, it operates with the privileges of the viewing user, potentially allowing credential compromise or other client‑side attacks.

Generated by OpenCVE AI on April 17, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed Rucio release (35.8.3, 38.5.4, or 39.3.1 depending on your branch).
  • Apply proper HTML escaping or input sanitization to the Custom RSE Attribute before rendering it in the WebUI to mitigate stored XSS. (This addresses CWE‑79)
  • Limit the ability to modify Custom RSE Attributes to privileged users and audit changes for suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fq4f-4738-rqxm Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute
History

Sat, 28 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Cern
Cern rucio
CPEs cpe:2.3:a:cern:rucio:*:*:*:*:*:*:*:*
Vendors & Products Cern
Cern rucio

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Rucio
Rucio rucio
Vendors & Products Rucio
Rucio rucio

Wed, 25 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Title Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute
Weaknesses CWE-1004
CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Cern Rucio
Rucio Rucio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:59:19.879Z

Reserved: 2026-02-05T16:48:00.427Z

Link: CVE-2026-25736

cve-icon Vulnrichment

Updated: 2026-02-26T15:59:04.070Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T20:23:48.243

Modified: 2026-02-27T19:24:13.017

Link: CVE-2026-25736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses