CVE-2026-25733

HIGH 7.3

Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function

CVSS Score

7.3

EPSS Score

0.0%

EPSS Percentile

0th

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.

CWE	CWE-79 CWE-1004
Vendor	rucio
Product	rucio
Published	Feb 25, 2026
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for rucio rucio

Be the first to know when new high vulnerabilities affecting rucio rucio are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

rucio / rucio

< 35.8.3 >= 36.0.0rc1, < 38.5.4 >= 39.0.0rc1, < 39.3.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q cheatsheetseries.owasp.org: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html github.com: https://github.com/rucio/rucio/releases/tag/35.8.3 github.com: https://github.com/rucio/rucio/releases/tag/38.5.4 github.com: https://github.com/rucio/rucio/releases/tag/39.3.1