CVE-2026-25736

Name of the Vulnerable Software and Affected Versions Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1

Description Rucio is a software framework used to organize, manage, and access large volumes of scientific data. A stored Cross-Site Scripting (XSS) issue exists in the Custom RSE Attribute of the WebUI. Attackers can inject malicious input that is saved by the backend and then displayed in the WebUI without proper encoding. This allows for the execution of arbitrary JavaScript code within the context of the WebUI when a user views the affected pages, potentially leading to session token theft or unauthorized actions. The issue is triggered by creating a custom RSE attribute via the Admin > RSE Management > RSE NAME > Add Attribute path and then viewing the RSE via Admin > RSE Management > RSE NAME . The attack utilizes a POST request to the /proxy/rses/WEB1/attr/XSS endpoint with a payload in the request body, such as {"value":"<script>alert('XSS')</script>"}. An attacker could exploit this to create a new UserPass identity or exfiltrate data. The impact is amplified by the lack of the HttpOnly flag on session cookies and the exposure of API tokens in JavaScript variables.

Recommendations Versions prior to 35.8.3 should be updated to version 35.8.3 or later. Versions prior to 38.5.4 should be updated to version 38.5.4 or later. Versions prior to 39.3.1 should be updated to version 39.3.1 or later.