Cyber Resilience

CVE-2026-25733

HighPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0006 20.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25733 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Cern Rucio. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25733 is a stored Cross-Site Scripting (XSS) vulnerability in Rucio, a software framework for organizing, managing, and accessing large volumes of scientific data using customizable policies. The flaw affects the Custom Rules function of the WebUI in versions prior to 35.8.3, 38.5.4, and 39.3.1, where attacker-controlled input is persisted by the backend and later rendered without proper output encoding. This enables arbitrary JavaScript execution in the context of the WebUI for users viewing affected pages. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag, though primarily driven by XSS).

An attacker with low privileges (PR:L), such as an authenticated user able to access the Custom Rules function, can submit malicious input that gets stored. Subsequent users who view pages displaying this input in the WebUI trigger JavaScript execution in their browser context, given the requirement for user interaction (UI:R). Successful exploitation can lead to high-impact confidentiality and integrity violations, including session token theft or performing unauthorized actions on behalf of victims, all over the network with low attack complexity.

Mitigation is provided by upgrading to Rucio versions 35.8.3, 38.5.4, or 39.3.1, which address the output encoding issue, as documented in the GitHub release notes for these versions and the security advisory GHSA-rwj9-7j48-9f7q. Additional guidance on XSS prevention, including output encoding best practices, is available in the OWASP Cross-Site Scripting Prevention Cheat Sheet.

EU & UK References

Vulnerability details

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function…

more

of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS directly enables exploitation of the WebUI (T1190), arbitrary JavaScript execution in victim browsers (T1059.007), browser session hijacking via injected scripts (T1185), and theft of web session cookies/tokens (T1539) as described in the impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25136Same product: Cern Rucio
CVE-2026-33046Same vendor: Cern
CVE-2025-67949Shared CWE-79
CVE-2024-56033Shared CWE-79
CVE-2025-23549Shared CWE-79
CVE-2026-27072Shared CWE-79
CVE-2026-27068Shared CWE-79
CVE-2025-59542Shared CWE-79
CVE-2025-26989Shared CWE-79
CVE-2026-28103Shared CWE-79

Affected Assets

cern
rucio
≤ 35.8.3 · 36.0.0 — 38.5.4 · 39.0.0 — 39.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires output filtering/encoding of persisted attacker input before WebUI rendering, eliminating the stored XSS vector in Custom Rules.

prevent

Requires validation and sanitization of all input to the Custom Rules function, reducing the chance that malicious payloads are accepted and stored.

preventdetect

Deploys malicious-code detection or filtering mechanisms that can block or alert on XSS payloads delivered through the WebUI.

References