Rucio WebUI has a Reflected Cross-site Scripting Vulnerability
Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in Rucio WebUI's error handling allows attackers to steal login session tokens via crafted URLs; fixed in versions 35.8.3, 38.5.4, and 39.3.1.
Vulnerability
Description A reflected Cross-Site Scripting (XSS) vulnerability exists in Rucio WebUI versions prior to 35.8.3, 38.5.4, and 39.3.1 [2]. The root cause is that the server error response includes the ExceptionMessage, which may contain user-controlled input, and the WebUI client renders this message into the DOM without proper encoding, using unsafe methods like jQuery's .html() [3]. This allows an attacker to inject arbitrary HTML and JavaScript.
Exploitation
An attacker can craft a malicious URL (e.g., https://host/ui/account_rse_usage?account=...) that triggers a 500 error. The server includes the attacker's input in the ExceptionMessage, and when the WebUI displays it, the injected script executes in the context of the victim's browser [3]. No authentication is required to trigger the error; the victim only needs to visit the crafted link while authenticated to Rucio.
Impact
Successful exploitation enables an attacker to steal the victim's login session token (cookie) [2]. With this token, the attacker can impersonate the victim and gain unauthorized access to Rucio resources, potentially compromising sensitive scientific data.
Mitigation
The issue is fixed in Rucio versions 35.8.3, 38.5.4, and 39.3.1 [2]. Users should upgrade to one of these versions as soon as possible.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rucio-webuiPyPI | < 35.8.3 | 35.8.3 |
rucio-webuiPyPI | >= 36.0.0rc1, < 38.5.4 | 38.5.4 |
rucio-webuiPyPI | >= 39.0.0rc1, < 39.3.1 | 39.3.1 |
Affected products
2- rucio/ruciov5Range: < 35.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-h79m-5jjm-jm4qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25136ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.htmlghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/35.8.3ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/38.5.4ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/39.3.1ghsax_refsource_MISCWEB
- github.com/rucio/rucio/security/advisories/GHSA-h79m-5jjm-jm4qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.