CVE-2026-25136
Published: 25 February 2026
Summary
CVE-2026-25136 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Cern Rucio. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 23.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires secure error handling that prevents the reflection of unsanitized user input in 500 error page ExceptionMessages, directly mitigating the reflected XSS vulnerability.
Mandates filtering of information prior to output on web interfaces, ensuring XSS payloads in error pages are encoded and cannot execute in victims' browsers.
Validates malicious inputs from crafted URLs before processing, reducing the risk of XSS payloads triggering exploitable 500 errors.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in WebUI (CWE-79 + CWE-1004) permits arbitrary JS execution in victim browser via malicious URL, directly enabling web session cookie theft and browser session hijacking.
NVD Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of…
more
the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Deeper analysisAI
CVE-2026-25136 is a reflected Cross-Site Scripting (XSS) vulnerability, classified under CWE-79 and CWE-1004, in Rucio, a software framework for organizing, managing, and accessing large volumes of scientific data. The issue resides in the WebUI component, specifically the rendering of the ExceptionMessage on 500 error pages, affecting all versions prior to 35.8.3, 38.5.4, and 39.3.1.
Attackers without privileges (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) by crafting a malicious URL that triggers a 500 error containing an XSS payload in the ExceptionMessage. Exploitation requires user interaction (UI:R), such as a victim navigating to the URL, after which the payload executes in the victim's browser context. This enables theft of login session tokens, resulting in high impacts to confidentiality and integrity but none to availability (CVSS v3.1 score: 8.1; C:H/I:H/A:N/S:U).
Mitigation is provided via patches in Rucio versions 35.8.3, 38.5.4, and 39.3.1, with release notes available on GitHub. Further details, including the fix implementation, are documented in the project's security advisory at GHSA-h79m-5jjm-jm4q. General XSS prevention strategies are outlined in the OWASP Cross-Site Scripting Prevention Cheat Sheet.
Details
- CWE(s)