CVE-2026-25733
Published: 25 February 2026
Summary
CVE-2026-25733 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Cern Rucio. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables exploitation of the WebUI (T1190), arbitrary JavaScript execution in victim browsers (T1059.007), browser session hijacking via injected scripts (T1185), and theft of web session cookies/tokens (T1539) as described in the impact.
NVD Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function…
more
of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Deeper analysisAI
CVE-2026-25733 is a stored Cross-Site Scripting (XSS) vulnerability in Rucio, a software framework for organizing, managing, and accessing large volumes of scientific data using customizable policies. The flaw affects the Custom Rules function of the WebUI in versions prior to 35.8.3, 38.5.4, and 39.3.1, where attacker-controlled input is persisted by the backend and later rendered without proper output encoding. This enables arbitrary JavaScript execution in the context of the WebUI for users viewing affected pages. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag, though primarily driven by XSS).
An attacker with low privileges (PR:L), such as an authenticated user able to access the Custom Rules function, can submit malicious input that gets stored. Subsequent users who view pages displaying this input in the WebUI trigger JavaScript execution in their browser context, given the requirement for user interaction (UI:R). Successful exploitation can lead to high-impact confidentiality and integrity violations, including session token theft or performing unauthorized actions on behalf of victims, all over the network with low attack complexity.
Mitigation is provided by upgrading to Rucio versions 35.8.3, 38.5.4, or 39.3.1, which address the output encoding issue, as documented in the GitHub release notes for these versions and the security advisory GHSA-rwj9-7j48-9f7q. Additional guidance on XSS prevention, including output encoding best practices, is available in the OWASP Cross-Site Scripting Prevention Cheat Sheet.
Details
- CWE(s)