CVE-2026-25735

Name of the Vulnerable Software and Affected Versions Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1

Description Rucio is a software framework used for organizing, managing, and accessing large volumes of scientific data. A stored Cross-Site Scripting (XSS) issue exists in the Identity Name of the WebUI. Attackers can inject malicious code that is saved by the backend and displayed in the WebUI without proper encoding. This allows for the execution of arbitrary JavaScript code within the context of the WebUI when a user views the affected pages, potentially leading to session token theft or unauthorized actions. The vulnerability is triggered by submitting a malicious payload via a POST request to the /proxy/accounts/{account}/identities API endpoint, specifically within the identity parameter. The payload is stored and then executed when viewing the account details. An attacker could potentially create a new root UserPass identity or exfiltrate data.

Recommendations Versions prior to 35.8.3 should be updated to version 35.8.3 or later. Versions prior to 38.5.4 should be updated to version 38.5.4 or later. Versions prior to 39.3.1 should be updated to version 39.3.1 or later.