What is the CVSS score of CVE-2026-25733?

CVE-2026-25733 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Rucio are affected by CVE-2026-25733?

CVE-2026-25733 is a HIGH severity vulnerability affecting Rucio data management systems with no patch currently available and active public exploits in circulation.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25733?

Yes, a public proof-of-concept exploit is available for CVE-2026-25733. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-25733?

Within 24 hours: Identify all systems running Rucio and assess data sensitivity; enable enhanced logging and monitoring on affected instances. Within 7 days: Implement network segmentation to restrict Rucio access to authorized users only; establish 24/7 monitoring for exploitation attempts; document current system configurations as baseline. Within 30 days: Actively monitor vendor advisories for patch release; evaluate alternative data management solutions; conduct security assessment of Rucio deployments; develop incident response plan specific to this vulnerability.

Rucio CVE-2026-25733

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-25 security-advisories@github.com

GHSA-rwj9-7j48-9f7q

XSS Rucio

7.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.3 HIGH

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 27, 2026 - 19:23 vuln.today

Public exploit code

CVE Published

Feb 25, 2026 - 20:23 nvd

HIGH 7.3

DescriptionGitHub Advisory

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.

AnalysisAI

Stored XSS in Rucio's WebUI Custom Rules function allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes when other users view affected pages, enabling session hijacking or unauthorized actions. Versions prior to 35.8.3, 38.5.4, and 39.3.1 are vulnerable, and public exploit code exists. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Rucio WebUI

Delivery

Create malicious custom rule with XSS payload

Exploit

Persist payload in backend database

Execution

Other users view rule page

Impact

JavaScript executes in browser context