CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
CVE-2026-25733 (GCVE-0-2026-25733)
Vulnerability from cvelistv5 – Published: 2026-02-25 19:30 – Updated: 2026-02-26 16:02
VLAI
Title
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Severity
7.3 (High)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/rucio/rucio/security/advisorie… | x_refsource_CONFIRM |
| https://cheatsheetseries.owasp.org/cheatsheets/Cr… | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/35.8.3 | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/38.5.4 | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/39.3.1 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25733",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T16:02:25.355565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:02:31.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rucio",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "\u003c 35.8.3"
},
{
"status": "affected",
"version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
},
{
"status": "affected",
"version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:44:14.399Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"source": {
"advisory": "GHSA-rwj9-7j48-9f7q",
"discovery": "UNKNOWN"
},
"title": "Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25733",
"datePublished": "2026-02-25T19:30:55.695Z",
"dateReserved": "2026-02-05T16:48:00.427Z",
"dateUpdated": "2026-02-26T16:02:31.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25734 (GCVE-0-2026-25734)
Vulnerability from cvelistv5 – Published: 2026-02-25 19:33 – Updated: 2026-02-26 16:01
VLAI
Title
Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Severity
6.1 (Medium)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/rucio/rucio/security/advisorie… | x_refsource_CONFIRM |
| https://cheatsheetseries.owasp.org/cheatsheets/Cr… | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/35.8.3 | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/38.5.4 | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/39.3.1 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25734",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T16:01:30.835750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:01:36.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rucio",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "\u003c 35.8.3"
},
{
"status": "affected",
"version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
},
{
"status": "affected",
"version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:43:56.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873q"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"source": {
"advisory": "GHSA-h9fp-p2p9-873q",
"discovery": "UNKNOWN"
},
"title": "Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25734",
"datePublished": "2026-02-25T19:33:44.627Z",
"dateReserved": "2026-02-05T16:48:00.427Z",
"dateUpdated": "2026-02-26T16:01:36.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25735 (GCVE-0-2026-25735)
Vulnerability from cvelistv5 – Published: 2026-02-25 19:43 – Updated: 2026-02-26 16:00
VLAI
Title
Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Severity
6.1 (Medium)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/rucio/rucio/security/advisorie… | x_refsource_CONFIRM |
| https://cheatsheetseries.owasp.org/cheatsheets/Cr… | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/35.8.3 | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/38.5.4 | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/39.3.1 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25735",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T16:00:30.360733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:00:36.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rucio",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "\u003c 35.8.3"
},
{
"status": "affected",
"version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
},
{
"status": "affected",
"version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:43:36.463Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"source": {
"advisory": "GHSA-8wpv-6x3f-3rm5",
"discovery": "UNKNOWN"
},
"title": "Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25735",
"datePublished": "2026-02-25T19:43:36.463Z",
"dateReserved": "2026-02-05T16:48:00.427Z",
"dateUpdated": "2026-02-26T16:00:36.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25736 (GCVE-0-2026-25736)
Vulnerability from cvelistv5 – Published: 2026-02-25 19:50 – Updated: 2026-02-26 15:59
VLAI
Title
Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Severity
6.1 (Medium)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/rucio/rucio/security/advisorie… | x_refsource_CONFIRM |
| https://cheatsheetseries.owasp.org/cheatsheets/Cr… | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/35.8.3 | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/38.5.4 | x_refsource_MISC |
| https://github.com/rucio/rucio/releases/tag/39.3.1 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25736",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T15:59:14.603628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:59:19.879Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rucio",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "\u003c 35.8.3"
},
{
"status": "affected",
"version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
},
{
"status": "affected",
"version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:50:52.820Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxm"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"source": {
"advisory": "GHSA-fq4f-4738-rqxm",
"discovery": "UNKNOWN"
},
"title": "Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25736",
"datePublished": "2026-02-25T19:50:52.820Z",
"dateReserved": "2026-02-05T16:48:00.427Z",
"dateUpdated": "2026-02-26T15:59:19.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35575 (GCVE-0-2026-35575)
Vulnerability from cvelistv5 – Published: 2026-04-07 17:08 – Updated: 2026-04-07 18:35
VLAI
Title
ChurchCRM has Stored XSS in Group Name
Summary
ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator’s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5.3.
Severity
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ChurchCRM/CRM/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35575",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T18:35:07.315321Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T18:35:14.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CRM",
"vendor": "ChurchCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 6.5.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel\u2019s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator\u2019s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T17:08:43.354Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gc8q-2gw7-qj7w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gc8q-2gw7-qj7w"
}
],
"source": {
"advisory": "GHSA-gc8q-2gw7-qj7w",
"discovery": "UNKNOWN"
},
"title": "ChurchCRM has Stored XSS in Group Name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35575",
"datePublished": "2026-04-07T17:08:43.354Z",
"dateReserved": "2026-04-03T20:09:02.827Z",
"dateUpdated": "2026-04-07T18:35:14.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39338 (GCVE-0-2026-39338)
Vulnerability from cvelistv5 – Published: 2026-04-07 17:57 – Updated: 2026-04-09 15:57
VLAI
Title
ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration
Summary
ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's DOM. Although the application ultimately returns an HTTP 500 error due to the malformed API request caused by the payload, the browser's JavaScript engine parses and executes the injected <script> tags before the error response is returned — resulting in successful code execution regardless of the server-side error. This vulnerability is fixed in 7.1.0.
Severity
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ChurchCRM/CRM/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39338",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T15:51:46.660440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T15:57:12.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CRM",
"vendor": "ChurchCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser\u0027s DOM. Although the application ultimately returns an HTTP 500 error due to the malformed API request caused by the payload, the browser\u0027s JavaScript engine parses and executes the injected \u003cscript\u003e tags before the error response is returned \u2014 resulting in successful code execution regardless of the server-side error. This vulnerability is fixed in 7.1.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T17:57:30.410Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3ghg-qfqw-rcqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3ghg-qfqw-rcqf"
}
],
"source": {
"advisory": "GHSA-3ghg-qfqw-rcqf",
"discovery": "UNKNOWN"
},
"title": "ChurchCRM has Blind XSS via Global Search \u2013 Administrative Cookie Session Exfiltration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39338",
"datePublished": "2026-04-07T17:57:30.410Z",
"dateReserved": "2026-04-06T20:28:38.393Z",
"dateUpdated": "2026-04-09T15:57:12.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42239 (GCVE-0-2026-42239)
Vulnerability from cvelistv5 – Published: 2026-05-07 18:49 – Updated: 2026-05-07 19:39
VLAI
Title
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover
Summary
Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.
Severity
8.1 (High)
CWE
- CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Budibase/budibase/security/adv… | x_refsource_CONFIRM |
| https://github.com/Budibase/budibase/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42239",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T19:39:21.519689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:39:45.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "budibase",
"vendor": "Budibase",
"versions": [
{
"status": "affected",
"version": "\u003c 3.35.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover \u2014 the attacker steals the JWT and has persistent access to the victim\u0027s account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T18:49:59.180Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r"
},
{
"name": "https://github.com/Budibase/budibase/releases/tag/3.35.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Budibase/budibase/releases/tag/3.35.10"
}
],
"source": {
"advisory": "GHSA-4f9j-vr4p-642r",
"discovery": "UNKNOWN"
},
"title": "Budibase auth session cookies are set with httpOnly:false \u2014 any XSS can lead to full account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42239",
"datePublished": "2026-05-07T18:49:59.180Z",
"dateReserved": "2026-04-25T05:37:12.118Z",
"dateUpdated": "2026-05-07T19:39:45.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- Leverage the HttpOnly flag when setting a sensitive cookie in a response.
No CAPEC attack patterns related to this CWE.