CVE-2026-25735

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25735

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25735.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25735

Aliases

GHSA-8wpv-6x3f-3rm5

Published

2026-02-25T19:43:36.463Z

Modified

2026-02-26T02:48:35.635557Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name

Details

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.

Database specific

{
    "cwe_ids": [
        "CWE-1004",
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25735.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/rucio/rucio

Affected ranges

Type

GIT

Repo

https://github.com/rucio/rucio

Events

Introduced

Fixed

ba9203702629af7bb1f95d5cf9ba8fcf1f943105

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "35.8.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/rucio/rucio

Events

Introduced

d98ebf29b58b30f07e1607d0245ac63006aeb634

Fixed

c851ad216e0e0e3d50405eab3331dfe21c96ddd3

Database specific

{
    "versions": [
        {
            "introduced": "36.0.0rc1"
        },
        {
            "fixed": "38.5.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/rucio/rucio

Events

Introduced

000ea9fcba4980681d74af76ef355e0946fbbcc8

Fixed

ba2a7e66b1e3c73b5cf9e0000e6621e8dc45bfe7

Database specific

{
    "versions": [
        {
            "introduced": "39.0.0rc1"
        },
        {
            "fixed": "39.3.1"
        }
    ]
}

Affected versions

0.*

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.20

0.1.21

0.1.22

0.1.23

0.1.24

0.1.25

0.1.26

0.1.27

0.1.28

0.1.29

0.1.30

0.1.31

0.1.32

0.1.33

0.1.34

0.1.35

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.3.1

0.3.10

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.10.0

1.10.0.post1

1.10.1

1.10.2

1.10.3

1.10.4

1.10.4.post1

1.10.5

1.10.6

1.10.7

1.11.0

1.11.0.post1

1.11.1

1.11.2

1.11.3

1.11.4

1.12.0

1.12.0.post1

1.12.1

1.12.2

1.12.2.post1

1.12.3

1.12.3.post1

1.12.4

1.12.5

1.12.5.post1

1.12.5.post2

1.12.6

1.13.0

1.13.0.post1

1.13.1

1.13.3

1.14.0.post1

1.14.1.post1

1.14.10

1.14.11

1.14.2

1.14.3

1.14.4

1.14.5

1.14.6

1.14.7

1.14.8

1.14.8.post1

1.14.8.post2

1.14.9

1.14.9.post1

1.15.0

1.15.0.post1

1.15.1

1.15.2

1.15.3

1.15.3.post1

1.15.4

1.15.4.post1

1.15.5

1.16.0

1.16.0.post1

1.16.1

1.16.2

1.16.3

1.16.4

1.17.0

1.17.1

1.17.2

1.17.2.post1

1.17.3

1.17.4

1.17.5

1.17.6

1.17.6.post1

1.17.6.post2

1.17.7

1.17.8

1.17.8.post1

1.17.8.post2

1.18.0

1.18.1

1.18.2

1.18.3

1.18.4

1.18.5

1.18.5.post1

1.18.6

1.18.6.post1

1.18.7

1.18.8

1.18.8.post1

1.18.9

1.19.0

1.19.0.post1

1.19.0.post2

1.19.1

1.19.2

1.19.3

1.19.4

1.19.4.post1

1.19.4.post2

1.19.5

1.19.6

1.19.7

1.19.7.post1

1.19.8

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.5-1

1.2.5-2

1.2.5.post3

1.2.5.post4

1.20.0

1.20.0rc1

1.20.1

1.20.1.post1

1.20.2

1.20.3

1.20.3rc1

1.20.3rc2

1.20.4

1.20.4.post1

1.20.4.post2

1.20.4rc1

1.20.4rc2

1.20.4rc3

1.20.5

1.20.6

1.20.7

1.20.8

1.21.0

1.21.0.post1

1.21.0rc1

1.21.0rc2

1.21.0rc3

1.21.1

1.21.10

1.21.11

1.21.12

1.21.2

1.21.3

1.21.4

1.21.5

1.21.6

1.21.7

1.21.8

1.21.9

1.22.0

1.22.0.dev2

1.22.0.dev3

1.22.0rc1

1.22.0rc2

1.22.1

1.22.2

1.22.3

1.22.4

1.22.4.dev1

1.22.5

1.22.6

1.22.7

1.22.8

1.23.0

1.23.0rc1

1.23.0rc2

1.24.0

1.24.0rc1

1.25.0

1.25.0rc1

1.25.0rc2

1.26.0

1.26.0rc1

1.26.0rc2

1.27.0

1.27.0rc1

1.27.0rc2

1.28.0

1.28.0rc1

1.28.0rc2

1.29.0

1.29.0rc1

1.29.0rc2

1.3.0.post1

1.3.0.post2

1.3.1

1.3.1.post1

1.3.2

1.3.3

1.30.0

1.30.0rc1

1.30.0rc2

1.30.0rc3

1.31.0

1.4.0

1.4.0.post1

1.4.1

1.4.2

1.4.2.post1

1.4.3

1.4.4

1.4.5

1.4.6

1.5.0

1.5.1

1.5.10

1.5.11

1.5.11.post1

1.5.11.post2

1.5.12

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.9

1.6.0

1.6.0.post1

1.6.0.post2

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.7.0

1.7.1

1.7.2

1.7.3

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.5.post1

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

32.*

32.0.0

32.0.0rc1

32.0.0rc2

33.*

33.0.0

33.0.0rc1

33.0.0rc2

33.0.0rc3

34.*

34.0.0

34.0.0rc1

34.0.0rc2

35.*

35.0.0

35.0.0rc1

35.0.0rc2

35.0.1

35.1.0

35.1.1

35.2.0

35.2.1

35.3.0

35.4.0

35.4.1

35.5.0

35.6.0

35.6.1

35.7.0

35.8.0

35.8.2

36.*

36.0.0

36.0.0rc1

36.0.0rc2

36.0.0rc3

36.0.0rc4

36.0.0rc5

37.*

37.0.0

37.0.0rc1

37.0.0rc2

37.0.0rc3

37.0.0rc4

38.*

38.0.0

38.0.0rc1

38.0.0rc2

38.0.0rc3

38.1.0

38.2.0

38.3.0

38.4.0

38.5.0

38.5.1

38.5.2

38.5.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25735.json"