CVE-2026-25733
HIGH
GHSA-rwj9-7j48-9f7q
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Analysis
Stored XSS in Rucio's WebUI Custom Rules function allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes when other users view affected pages, enabling session hijacking or unauthorized actions. Versions prior to 35.8.3, 38.5.4, and 39.3.1 are vulnerable, and public exploit code exists. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Rucio and assess data sensitivity; enable enhanced logging and monitoring on affected instances. Within 7 days: Implement network segmentation to restrict Rucio access to authorized users only; establish 24/7 monitoring for exploitation attempts; document current system configurations as baseline. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today