CVE-2026-25736
Stored XSS in Rucio WebUI Custom RSE Attribute
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cern | rucio | to 35.8.3 (exc) |
| cern | rucio | From 36.0.0 (inc) to 38.5.4 (exc) |
| cern | rucio | From 39.0.0 (inc) to 39.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1004 | The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25736 is a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute feature of the Rucio WebUI. It occurs because attacker-controlled input is saved by the backend and later displayed in the WebUI without proper output encoding. This allows an attacker to inject malicious JavaScript code that executes in the context of the WebUI for users who view the affected pages.
An attacker can exploit this by sending a specially crafted POST request containing a script payload, which gets stored and executed when the RSE is viewed in the WebUI under Admin > RSE Management > RSE NAME.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary JavaScript execution in the WebUI, which may result in session token theft or unauthorized actions performed on behalf of the victim user.
- Attackers can steal session tokens because session cookies lack the HttpOnly flag, making them accessible to JavaScript.
- API tokens exposed in JavaScript variables can also be accessed and exfiltrated by attackers.
- Attackers may perform unauthorized actions such as creating new UserPass identities, modifying RSEs, or exfiltrating data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a test script payload into the Custom RSE Attribute via the WebUI endpoint and observing if it is stored and executed when viewing the affected RSE page.'}, {'type': 'paragraph', 'content': "A specific test involves sending a POST request with a payload such as <script>alert('XSS')</script> to the endpoint `/proxy/rses/WEB1/attr/XSS`."}, {'type': 'paragraph', 'content': 'If the script executes when viewing the RSE under Admin > RSE Management > RSE NAME in the WebUI, the vulnerability is present.'}, {'type': 'list_item', 'content': 'Example curl command to test injection: curl -X POST -d "<script>alert(\'XSS\')</script>" https://your-rucio-server/proxy/rses/WEB1/attr/XSS'}, {'type': 'list_item', 'content': 'After injection, navigate in the WebUI to Admin > RSE Management > WEB1 and check if the alert box appears.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Rucio WebUI to versions 35.8.3, 38.5.4, or 39.3.1 or later, where the vulnerability is fixed.
In addition, avoid using unsafe rendering methods like .html() for displaying user input unless the content is explicitly sanitized.
Use safer alternatives such as .text(), text nodes, or templating systems with automatic escaping to render content.
Implement defense-in-depth measures such as enforcing a strict Content Security Policy (CSP) to restrict script execution.
Set the HttpOnly flag on session cookies to prevent JavaScript access to session tokens.
Avoid exposing API tokens in JavaScript-accessible variables within the WebUI.