CVE-2026-25733: Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function
A stored Cross-site Scripting (XSS) vulnerability was identified in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.
References
- cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
- github.com/advisories/GHSA-rwj9-7j48-9f7q
- github.com/rucio/rucio
- github.com/rucio/rucio/releases/tag/35.8.3
- github.com/rucio/rucio/releases/tag/38.5.4
- github.com/rucio/rucio/releases/tag/39.3.1
- github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q
- nvd.nist.gov/vuln/detail/CVE-2026-25733
Code Behaviors & Features
Detect and mitigate CVE-2026-25733 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →