CVE-2026-25734

Name of the Vulnerable Software and Affected Versions Rucio versions prior to 35.8.3 Rucio versions prior to 38.5.4 Rucio versions prior to 39.3.1

Description Rucio is a software framework used to organize, manage, and access large volumes of scientific data. A stored Cross-Site Scripting (XSS) issue exists in the RSE metadata of the WebUI. Attackers can inject malicious input that is stored by the backend and then displayed in the WebUI without proper encoding. This allows for the execution of arbitrary JavaScript code within the context of the WebUI when a user views the affected pages. This could potentially lead to session token theft or unauthorized actions. The vulnerability affects the 'City', 'Country Name', and 'ISP' attributes when creating or modifying RSEs through the Admin > RSE Management interface. An attacker could use a POST request to the /proxy/rses/XSSTEST API endpoint with a malicious payload in the JSON body to exploit this issue. The impact is amplified by the lack of the HttpOnly flag on session cookies and the exposure of API tokens in JavaScript variables. An attacker could potentially create a new UserPass identity or exfiltrate data.

Recommendations Versions prior to 35.8.3 should be upgraded to version 35.8.3 or later. Versions prior to 38.5.4 should be upgraded to version 38.5.4 or later. Versions prior to 39.3.1 should be upgraded to version 39.3.1 or later. Ensure all client-side renderings of server-provided or user-controlled data implement proper HTML escaping before insertion into the DOM. Enforce a strict Content Security Policy (CSP). Set the HttpOnly flag on session cookies. Avoid exposing API tokens in JavaScript-accessible variables.