CVE-2026-25733
Published: 25 February 2026
Summary
CVE-2026-25733 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Cern Rucio. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25733 is a stored Cross-Site Scripting (XSS) vulnerability in Rucio, a software framework for organizing, managing, and accessing large volumes of scientific data using customizable policies. The flaw affects the Custom Rules function of the WebUI in versions prior to 35.8.3, 38.5.4, and 39.3.1, where attacker-controlled input is persisted by the backend and later rendered without proper output encoding. This enables arbitrary JavaScript execution in the context of the WebUI for users viewing affected pages. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag, though primarily driven by XSS).
An attacker with low privileges (PR:L), such as an authenticated user able to access the Custom Rules function, can submit malicious input that gets stored. Subsequent users who view pages displaying this input in the WebUI trigger JavaScript execution in their browser context, given the requirement for user interaction (UI:R). Successful exploitation can lead to high-impact confidentiality and integrity violations, including session token theft or performing unauthorized actions on behalf of victims, all over the network with low attack complexity.
Mitigation is provided by upgrading to Rucio versions 35.8.3, 38.5.4, or 39.3.1, which address the output encoding issue, as documented in the GitHub release notes for these versions and the security advisory GHSA-rwj9-7j48-9f7q. Additional guidance on XSS prevention, including output encoding best practices, is available in the OWASP Cross-Site Scripting Prevention Cheat Sheet.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8726
Vulnerability details
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function…
more
of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables exploitation of the WebUI (T1190), arbitrary JavaScript execution in victim browsers (T1059.007), browser session hijacking via injected scripts (T1185), and theft of web session cookies/tokens (T1539) as described in the impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires output filtering/encoding of persisted attacker input before WebUI rendering, eliminating the stored XSS vector in Custom Rules.
Requires validation and sanitization of all input to the Custom Rules function, reducing the chance that malicious payloads are accepted and stored.
Deploys malicious-code detection or filtering mechanisms that can block or alert on XSS payloads delivered through the WebUI.