CVE-2026-25136

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25136

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25136.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25136

Aliases

GHSA-h79m-5jjm-jm4q

Published

2026-02-25T18:57:28.589Z

Modified

2026-03-01T02:57:10.650112Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Rucio WebUI has a Reflected Cross-site Scripting Vulnerability

Details

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25136.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1004",
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/rucio/rucio

Affected ranges

Type

GIT

Repo

https://github.com/rucio/rucio

Events

Introduced

Fixed

ba9203702629af7bb1f95d5cf9ba8fcf1f943105

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "35.8.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/rucio/rucio

Events

Introduced

d98ebf29b58b30f07e1607d0245ac63006aeb634

Fixed

c851ad216e0e0e3d50405eab3331dfe21c96ddd3

Database specific

{
    "versions": [
        {
            "introduced": "36.0.0rc1"
        },
        {
            "fixed": "38.5.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/rucio/rucio

Events

Introduced

000ea9fcba4980681d74af76ef355e0946fbbcc8

Fixed

ba2a7e66b1e3c73b5cf9e0000e6621e8dc45bfe7

Database specific

{
    "versions": [
        {
            "introduced": "39.0.0rc1"
        },
        {
            "fixed": "39.3.1"
        }
    ]
}

Affected versions

0.*

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.20

0.1.21

0.1.22

0.1.23

0.1.24

0.1.25

0.1.26

0.1.27

0.1.28

0.1.29

0.1.30

0.1.31

0.1.32

0.1.33

0.1.34

0.1.35

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.3.1

0.3.10

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.10.0

1.10.0.post1

1.10.1

1.10.2

1.10.3

1.10.4

1.10.4.post1

1.10.5

1.10.6

1.10.7

1.11.0

1.11.0.post1

1.11.1

1.11.2

1.11.3

1.11.4

1.12.0

1.12.0.post1

1.12.1

1.12.2

1.12.2.post1

1.12.3

1.12.3.post1

1.12.4

1.12.5

1.12.5.post1

1.12.5.post2

1.12.6

1.13.0

1.13.0.post1

1.13.1

1.13.3

1.14.0.post1

1.14.1.post1

1.14.10

1.14.11

1.14.2

1.14.3

1.14.4

1.14.5

1.14.6

1.14.7

1.14.8

1.14.8.post1

1.14.8.post2

1.14.9

1.14.9.post1

1.15.0

1.15.0.post1

1.15.1

1.15.2

1.15.3

1.15.3.post1

1.15.4

1.15.4.post1

1.15.5

1.16.0

1.16.0.post1

1.16.1

1.16.2

1.16.3

1.16.4

1.17.0

1.17.1

1.17.2

1.17.2.post1

1.17.3

1.17.4

1.17.5

1.17.6

1.17.6.post1

1.17.6.post2

1.17.7

1.17.8

1.17.8.post1

1.17.8.post2

1.18.0

1.18.1

1.18.2

1.18.3

1.18.4

1.18.5

1.18.5.post1

1.18.6

1.18.6.post1

1.18.7

1.18.8

1.18.8.post1

1.18.9

1.19.0

1.19.0.post1

1.19.0.post2

1.19.1

1.19.2

1.19.3

1.19.4

1.19.4.post1

1.19.4.post2

1.19.5

1.19.6

1.19.7

1.19.7.post1

1.19.8

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.5-1

1.2.5-2

1.2.5.post3

1.2.5.post4

1.20.0

1.20.0rc1

1.20.1

1.20.1.post1

1.20.2

1.20.3

1.20.3rc1

1.20.3rc2

1.20.4

1.20.4.post1

1.20.4.post2

1.20.4rc1

1.20.4rc2

1.20.4rc3

1.20.5

1.20.6

1.20.7

1.20.8

1.21.0

1.21.0.post1

1.21.0rc1

1.21.0rc2

1.21.0rc3

1.21.1

1.21.10

1.21.11

1.21.12

1.21.2

1.21.3

1.21.4

1.21.5

1.21.6

1.21.7

1.21.8

1.21.9

1.22.0

1.22.0.dev2

1.22.0.dev3

1.22.0rc1

1.22.0rc2

1.22.1

1.22.2

1.22.3

1.22.4

1.22.4.dev1

1.22.5

1.22.6

1.22.7

1.22.8

1.23.0

1.23.0rc1

1.23.0rc2

1.24.0

1.24.0rc1

1.25.0

1.25.0rc1

1.25.0rc2

1.26.0

1.26.0rc1

1.26.0rc2

1.27.0

1.27.0rc1

1.27.0rc2

1.28.0

1.28.0rc1

1.28.0rc2

1.29.0

1.29.0rc1

1.29.0rc2

1.3.0.post1

1.3.0.post2

1.3.1

1.3.1.post1

1.3.2

1.3.3

1.30.0

1.30.0rc1

1.30.0rc2

1.30.0rc3

1.31.0

1.4.0

1.4.0.post1

1.4.1

1.4.2

1.4.2.post1

1.4.3

1.4.4

1.4.5

1.4.6

1.5.0

1.5.1

1.5.10

1.5.11

1.5.11.post1

1.5.11.post2

1.5.12

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.9

1.6.0

1.6.0.post1

1.6.0.post2

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.7.0

1.7.1

1.7.2

1.7.3

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.5.post1

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

32.*

32.0.0

32.0.0rc1

32.0.0rc2

33.*

33.0.0

33.0.0rc1

33.0.0rc2

33.0.0rc3

34.*

34.0.0

34.0.0rc1

34.0.0rc2

35.*

35.0.0

35.0.0rc1

35.0.0rc2

35.0.1

35.1.0

35.1.1

35.2.0

35.2.1

35.3.0

35.4.0

35.4.1

35.5.0

35.6.0

35.6.1

35.7.0

35.8.0

35.8.2

36.*

36.0.0

36.0.0rc1

36.0.0rc2

36.0.0rc3

36.0.0rc4

36.0.0rc5

37.*

37.0.0

37.0.0rc1

37.0.0rc2

37.0.0rc3

37.0.0rc4

38.*

38.0.0

38.0.0rc1

38.0.0rc2

38.0.0rc3

38.1.0

38.2.0

38.3.0

38.4.0

38.5.0

38.5.1

38.5.2

38.5.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25136.json"