CVE-2026-25736 - Vulnerability Analysis
MediumCVSS: 6.1Last Updated: February 27, 2026
Rucio - Stored XSS
Published: February 25, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable
Overview
Rucio < 35.8.3, < 38.5.4, and < 39.3.1 contain a stored XSS caused by improper output encoding of attacker-controlled input in Custom RSE Attribute in WebUI, letting attackers execute arbitrary JavaScript in user context, exploit requires user to view affected pages.
Severity & Score
Severity: Medium
CVSS Score: 6.1
Impact
Attackers can execute arbitrary JavaScript in users' browsers, potentially stealing session tokens or performing unauthorized actions.
Mitigation
Update to versions 35.8.3, 38.5.4, or 39.3.1 or later.
References
- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
- https://github.com/rucio/rucio/releases/tag/35.8.3
- https://github.com/rucio/rucio/releases/tag/38.5.4
- https://github.com/rucio/rucio/releases/tag/39.3.1
- https://github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxm
Related Resources
Details
- CVE ID
- CVE-2026-25736
- Severity
- Medium
- CVSS Score
- 6.1
- Type
- stored_xss
- Status
- confirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N