CVE-2026-25733

Name of the Vulnerable Software and Affected Versions Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1

Description Rucio software contains a stored Cross-Site Scripting (XSS) issue within the Custom Rules function of the WebUI. Attackers can inject malicious code through the comment field, which is then stored and executed when other users view the affected pages. This allows for arbitrary JavaScript execution in the context of the WebUI, potentially leading to session token theft or unauthorized actions. The issue arises because attacker-controlled input is not properly encoded before being rendered in the WebUI. The vulnerability can be triggered by creating a new rule and including a malicious payload in the comment field. The malicious script is then executed when the rule is viewed or approved. The API endpoint used for creating the request is /proxy/rules/. The vulnerable parameter is comment. An attacker could potentially create a new UserPass identity or exfiltrate data.

Recommendations Versions prior to 35.8.3 should be updated to version 35.8.3 or later. Versions prior to 38.5.4 should be updated to version 38.5.4 or later. Versions prior to 39.3.1 should be updated to version 39.3.1 or later. Ensure all client-side renderings of server-provided or user-controlled data implement proper HTML escaping before insertion into the DOM. Enforce a strict Content Security Policy (CSP). Set the HttpOnly flag on session cookies. Avoid exposing API tokens in JavaScript-accessible variables.