Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata
Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored XSS vulnerability in RSE metadata, allowing arbitrary JavaScript execution and potential session theft.
Vulnerability
Description Rucio, a scientific data management framework, contains a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata fields displayed in the WebUI. The vulnerability arises because attacker-controlled input in fields such as city, country_name, and ISP is persisted by the backend without proper output encoding, and later rendered unsafely in the RSE Management dashboard [2][3].
Exploitation
An authenticated attacker with administrative privileges can exploit this by sending a POST request to the /proxy/rses/ endpoint with malicious JavaScript payloads in the vulnerable metadata fields. The payload is stored and executed when any authenticated user views the RSE listing or details page [3]. No additional privileges are required beyond those needed to manage RSEs.
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the WebUI. This can lead to session cookie theft (if cookies lack the HttpOnly flag), exfiltration of API tokens exposed to JavaScript, and unauthorized actions on behalf of the victim, such as creating new identities, modifying RSEs, or exfiltrating data [3]. The impact is amplified because the XSS affects administrative users, providing broad control over the Rucio instance.
Mitigation
The issue is fixed in Rucio versions 35.8.3, 38.5.4, and 39.3.1 [2]. Users should upgrade immediately. General XSS prevention measures, such as proper output encoding and setting HttpOnly flags on session cookies, are recommended as defense-in-depth [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rucio-webuiPyPI | < 35.8.3 | 35.8.3 |
rucio-webuiPyPI | >= 36.0.0rc1, < 38.5.4 | 38.5.4 |
rucio-webuiPyPI | >= 39.0.0rc1, < 39.3.1 | 39.3.1 |
Affected products
2- rucio/ruciov5Range: < 35.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-h9fp-p2p9-873qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25734ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.htmlghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/35.8.3ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/38.5.4ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/39.3.1ghsax_refsource_MISCWEB
- github.com/rucio/rucio/security/advisories/GHSA-h9fp-p2p9-873qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.