CVE-2026-25735: Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name
(updated )
A stored Cross-site Scripting (XSS) vulnerability was identified in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.
References
- cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
- github.com/advisories/GHSA-8wpv-6x3f-3rm5
- github.com/rucio/rucio
- github.com/rucio/rucio/releases/tag/35.8.3
- github.com/rucio/rucio/releases/tag/38.5.4
- github.com/rucio/rucio/releases/tag/39.3.1
- github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5
- nvd.nist.gov/vuln/detail/CVE-2026-25735
Code Behaviors & Features
Detect and mitigate CVE-2026-25735 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →