CVE-2026-25136
Reflected XSS in Rucio WebUI 500 Error Leaks Sessions
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cern | rucio | to 35.8.3 (exc) |
| cern | rucio | From 36.0.0 (inc) to 38.5.4 (exc) |
| cern | rucio | From 39.0.0 (inc) to 39.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1004 | The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25136 is a reflected Cross-Site Scripting (XSS) vulnerability in the Rucio WebUI affecting versions prior to 35.8.3, 38.5.4, and 39.3.1. The issue occurs because the WebUI improperly renders the ExceptionMessage in 500 error responses by inserting user-controlled input as unencoded HTML. This allows attackers to craft URLs or inputs that cause malicious scripts to be executed in the context of the victim's browser."}, {'type': 'paragraph', 'content': 'Specifically, the vulnerability arises from server-side code inserting ExceptionMessage into HTTP response headers and JSON bodies without proper encoding, and the client-side WebUI injecting this message into the DOM using unsafe methods like jQuery.html(). This enables execution of attacker-supplied JavaScript.'}, {'type': 'paragraph', 'content': 'Proof-of-concept exploits include injecting malicious scripts via URL parameters or POST requests that cause the ExceptionMessage to contain executable script code, which can steal session cookies or perform unauthorized actions.'}] [3]
How can this vulnerability impact me? :
This vulnerability can have significant impacts including the theft of login session tokens from users who visit specially crafted URLs, enabling attackers to hijack user sessions.
Because session cookies lack the HttpOnly flag, malicious scripts executed via this vulnerability can access these cookies, increasing the risk of account compromise.
Attackers can also perform unauthorized actions such as creating new user identities with attacker-known passwords, and API tokens exposed in JavaScript variables on many pages further increase the risk.
Overall, the vulnerability allows remote attackers with no privileges to execute arbitrary JavaScript in the context of authenticated users, leading to high confidentiality and integrity impacts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this reflected Cross-Site Scripting (XSS) vulnerability involves identifying if the Rucio WebUI is running a vulnerable version prior to 35.8.3, 38.5.4, or 39.3.1 and testing if crafted URLs or inputs cause execution of injected scripts.'}, {'type': 'paragraph', 'content': 'A practical detection method is to attempt accessing the WebUI with a specially crafted URL containing a script payload in the "account" parameter, such as: \n\nhttps://<rucio-webui-host>/somepath?account=<img src=x onerror=alert(document.cookie)>\n\nIf an alert box or script execution occurs, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'For authenticated users, testing POST requests with malicious script tags in account key attribute creation errors can also reveal the vulnerability.'}, {'type': 'paragraph', 'content': 'Network or system commands to detect this vulnerability are not explicitly provided in the resources. However, manual testing with curl or browser developer tools can be used to send crafted requests and observe responses.'}, {'type': 'list_item', 'content': 'Example curl command to test reflected XSS via the account parameter:\n\ncurl -i "https://<rucio-webui-host>/somepath?account=<img src=x onerror=alert(document.cookie)>"'}, {'type': 'list_item', 'content': 'Use browser developer tools to inspect if the ExceptionMessage in 500 error responses reflects unencoded HTML containing the injected script.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves upgrading the Rucio WebUI to a fixed version: 35.8.3, 38.5.4, or 39.3.1, which address this reflected XSS vulnerability and other related security issues.
Additional mitigation steps include:
- Modify client-side code to replace unsafe insertion methods like jQuery.html() with safe methods such as jQuery.text() or creating text nodes that properly encode HTML entities.
- Implement a Content Security Policy (CSP) to restrict execution of unauthorized scripts and reduce the impact of XSS attacks.
- Set the HttpOnly flag on session cookies to prevent JavaScript access to session tokens.
- Avoid embedding API tokens in JavaScript variables to reduce exposure.
Following OWASP best practices for XSS prevention, such as proper output encoding, input validation, and use of safe sinks for dynamic content, will further strengthen defenses.