Search criteria
7 vulnerabilities by rucio
CVE-2026-25736 (GCVE-0-2026-25736)
Vulnerability from cvelistv5 – Published: 2026-02-25 19:50 – Updated: 2026-02-26 15:59
VLAI?
Title
Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Severity ?
6.1 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25736",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T15:59:14.603628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:59:19.879Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rucio",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "\u003c 35.8.3"
},
{
"status": "affected",
"version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
},
{
"status": "affected",
"version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:50:52.820Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxm"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"source": {
"advisory": "GHSA-fq4f-4738-rqxm",
"discovery": "UNKNOWN"
},
"title": "Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25736",
"datePublished": "2026-02-25T19:50:52.820Z",
"dateReserved": "2026-02-05T16:48:00.427Z",
"dateUpdated": "2026-02-26T15:59:19.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25735 (GCVE-0-2026-25735)
Vulnerability from cvelistv5 – Published: 2026-02-25 19:43 – Updated: 2026-02-26 16:00
VLAI?
Title
Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Severity ?
6.1 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25735",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T16:00:30.360733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:00:36.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rucio",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "\u003c 35.8.3"
},
{
"status": "affected",
"version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
},
{
"status": "affected",
"version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:43:36.463Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"source": {
"advisory": "GHSA-8wpv-6x3f-3rm5",
"discovery": "UNKNOWN"
},
"title": "Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25735",
"datePublished": "2026-02-25T19:43:36.463Z",
"dateReserved": "2026-02-05T16:48:00.427Z",
"dateUpdated": "2026-02-26T16:00:36.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25734 (GCVE-0-2026-25734)
Vulnerability from cvelistv5 – Published: 2026-02-25 19:33 – Updated: 2026-02-26 16:01
VLAI?
Title
Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Severity ?
6.1 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25734",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T16:01:30.835750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:01:36.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rucio",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "\u003c 35.8.3"
},
{
"status": "affected",
"version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
},
{
"status": "affected",
"version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:43:56.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873q"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"source": {
"advisory": "GHSA-h9fp-p2p9-873q",
"discovery": "UNKNOWN"
},
"title": "Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25734",
"datePublished": "2026-02-25T19:33:44.627Z",
"dateReserved": "2026-02-05T16:48:00.427Z",
"dateUpdated": "2026-02-26T16:01:36.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25733 (GCVE-0-2026-25733)
Vulnerability from cvelistv5 – Published: 2026-02-25 19:30 – Updated: 2026-02-26 16:02
VLAI?
Title
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Severity ?
7.3 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25733",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T16:02:25.355565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:02:31.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rucio",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "\u003c 35.8.3"
},
{
"status": "affected",
"version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
},
{
"status": "affected",
"version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:44:14.399Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"source": {
"advisory": "GHSA-rwj9-7j48-9f7q",
"discovery": "UNKNOWN"
},
"title": "Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25733",
"datePublished": "2026-02-25T19:30:55.695Z",
"dateReserved": "2026-02-05T16:48:00.427Z",
"dateUpdated": "2026-02-26T16:02:31.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25138 (GCVE-0-2026-25138)
Vulnerability from cvelistv5 – Published: 2026-02-25 19:28 – Updated: 2026-02-26 16:03
VLAI?
Title
Rucio WebUI has Username Enumeration via Login Error Message
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Severity ?
5.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25138",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T16:03:18.219753Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:03:22.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rucio",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "\u003c 35.8.3"
},
{
"status": "affected",
"version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
},
{
"status": "affected",
"version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:28:35.628Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"source": {
"advisory": "GHSA-38wq-6q2w-hcf9",
"discovery": "UNKNOWN"
},
"title": "Rucio WebUI has Username Enumeration via Login Error Message"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25138",
"datePublished": "2026-02-25T19:28:35.628Z",
"dateReserved": "2026-01-29T14:03:42.540Z",
"dateUpdated": "2026-02-26T16:03:22.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25136 (GCVE-0-2026-25136)
Vulnerability from cvelistv5 – Published: 2026-02-25 18:57 – Updated: 2026-02-26 20:44
VLAI?
Title
Rucio WebUI has a Reflected Cross-site Scripting Vulnerability
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25136",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T20:44:39.867866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T20:44:57.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rucio",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "\u003c 35.8.3"
},
{
"status": "affected",
"version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
},
{
"status": "affected",
"version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1004",
"description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T18:57:28.589Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
},
{
"name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
}
],
"source": {
"advisory": "GHSA-h79m-5jjm-jm4q",
"discovery": "UNKNOWN"
},
"title": "Rucio WebUI has a Reflected Cross-site Scripting Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25136",
"datePublished": "2026-02-25T18:57:28.589Z",
"dateReserved": "2026-01-29T14:03:42.540Z",
"dateUpdated": "2026-02-26T20:44:57.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54064 (GCVE-0-2025-54064)
Vulnerability from cvelistv5 – Published: 2025-07-17 14:40 – Updated: 2025-07-17 20:01
VLAI?
Title
rucio-server, rucio-ui, and rucio-webui vulnerable to insertion of X-Rucio-Auth-Token in apache access logfiles
Summary
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`.
Severity ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rucio | helm-charts |
Affected:
rucio-server < 32.0.1
Affected: rucio-server >= 33.0.0, < 35.0.1 Affected: rucio-server >= 36.0.0, < 37.0.2 Affected: rucio-ui < 32.0.2 Affected: rucio-ui >= 33.0.0, < 35.1.1 Affected: rucio-ui >= 36.0.0, < 37.0.4 Affected: rucio-webui < 32.0.1 Affected: rucio-webui >= 33.0.0, < 35.1.1 Affected: rucio-webui >= 36.0.0, < 37.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T20:01:37.791373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T20:01:54.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "helm-charts",
"vendor": "rucio",
"versions": [
{
"status": "affected",
"version": "rucio-server \u003c 32.0.1"
},
{
"status": "affected",
"version": "rucio-server \u003e= 33.0.0, \u003c 35.0.1"
},
{
"status": "affected",
"version": "rucio-server \u003e= 36.0.0, \u003c 37.0.2"
},
{
"status": "affected",
"version": "rucio-ui \u003c 32.0.2"
},
{
"status": "affected",
"version": "rucio-ui \u003e= 33.0.0, \u003c 35.1.1"
},
{
"status": "affected",
"version": "rucio-ui \u003e= 36.0.0, \u003c 37.0.4"
},
{
"status": "affected",
"version": "rucio-webui \u003c 32.0.1"
},
{
"status": "affected",
"version": "rucio-webui \u003e= 33.0.0, \u003c 35.1.1"
},
{
"status": "affected",
"version": "rucio-webui \u003e= 36.0.0, \u003c 37.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T14:40:59.619Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rucio/helm-charts/security/advisories/GHSA-cmfq-f2v2-vj33",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rucio/helm-charts/security/advisories/GHSA-cmfq-f2v2-vj33"
}
],
"source": {
"advisory": "GHSA-cmfq-f2v2-vj33",
"discovery": "UNKNOWN"
},
"title": "rucio-server, rucio-ui, and rucio-webui vulnerable to insertion of X-Rucio-Auth-Token in apache access logfiles"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54064",
"datePublished": "2025-07-17T14:40:59.619Z",
"dateReserved": "2025-07-16T13:22:18.204Z",
"dateUpdated": "2025-07-17T20:01:54.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}