Login Sign Up

CVE-2026-25136

8.1 HIGH
Cross-Site Scripting

📋 TL;DR

This is a reflected Cross-site Scripting (XSS) vulnerability in Rucio's WebUI that allows attackers to steal login session tokens. Attackers can craft malicious URLs that, when visited by users, execute JavaScript in the context of the Rucio application. This affects Rucio users running vulnerable versions prior to 35.8.3, 38.5.4, or 39.3.1.

💻 Affected Systems

Products:
  • Rucio
Versions: All versions prior to 35.8.3, 38.5.4, and 39.3.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Rucio instances with WebUI enabled. The vulnerability is in the 500 error page rendering of ExceptionMessage.

📦 What is this software?

Rucio by Cern

View all CVEs affecting Rucio →

Rucio by Cern

View all CVEs affecting Rucio →

Rucio by Cern

View all CVEs affecting Rucio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrative session tokens, gaining full control over the Rucio instance and potentially accessing sensitive scientific data.

🟠

Likely Case

Attackers steal user session tokens to impersonate legitimate users, potentially accessing their data and performing unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payloads are neutralized before reaching users.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Reflected XSS vulnerabilities are commonly exploited. The attack requires user interaction (clicking a malicious link) but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 35.8.3, 38.5.4, or 39.3.1

Vendor Advisory: https://github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4q

Restart Required: Yes

Instructions:

1. Identify your Rucio version. 2. Upgrade to 35.8.3, 38.5.4, or 39.3.1 depending on your branch. 3. Restart the Rucio services. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with XSS protection rules to block malicious payloads.

Content Security Policy (CSP)

all

Implement a strict CSP header to prevent execution of inline JavaScript.

🧯 If You Can't Patch

  • Disable Rucio WebUI if not required
  • Implement network segmentation to restrict access to Rucio WebUI

🔍 How to Verify

Check if Vulnerable:

Check Rucio version against affected versions. Test by attempting to inject JavaScript in ExceptionMessage parameters.

Check Version:

rucio --version

Verify Fix Applied:

After patching, verify version is 35.8.3, 38.5.4, or 39.3.1. Test XSS payloads to confirm they are properly encoded.

📡 Detection & Monitoring

Log Indicators:

  • Unusual 500 error requests with JavaScript payloads in parameters
  • Multiple failed login attempts followed by successful logins from different IPs

Network Indicators:

  • HTTP requests containing JavaScript in query parameters to Rucio WebUI
  • Unusual outbound connections after visiting Rucio URLs

SIEM Query:

source="rucio_webui" AND (status=500 AND (request_uri LIKE "%<script%" OR request_uri LIKE "%javascript:%"))

📊 Metadata

CVE ID: CVE-2026-25136
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-79
Published: February 25, 2026
Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25136, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)