Description
Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data.
Published: 2026-01-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side script execution leading to sensitive data theft
Action: Patch
AI Analysis

Impact

This vulnerability is a cross‑site scripting flaw (CWE‑79). The SICK TDC‑X401GL improperly handles a URL parameter during the web interface’s operation, enabling attackers to inject and run arbitrary JavaScript in a victim’s browser after the victim has logged into the device. Once executed, the script can read session tokens, cookie values, and any other data stored in the browser context, allowing sensitive data to be exfiltrated. The CVE description does not state whether the attacker must be authenticated; based on the wording, it is inferred that the victim must be logged in, while the attacker need only supply a crafted link.

Affected Systems

SICK AG’s TDC‑X401GL devices are affected. Any firmware prior to version 1.5.0 contains the flaw; the vendor recommends upgrading to firmware 1.5.0 or later to remediate the issue. No other version information is available.

Risk and Exploitability

The CVSS Base score of 4.3 indicates moderate severity, and the EPSS score of < 1 % suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The flaw requires the victim to be logged into the device’s web interface and be directed to a crafted URL, making social engineering or a compromised link the primary attack vector. In environments where users browse from the device console, the risk is heightened because the client‑side code runs with the user's privileges.

Generated by OpenCVE AI on April 18, 2026 at 19:57 UTC.

Remediation

Vendor Solution

Users are strongly recommended to upgrade to the latest release of TDC-X401GL (>= 1.5.0).

OpenCVE Recommended Actions

  • Upgrade the TDC‑X401GL firmware to version 1.5.0 or newer to eliminate the input‑validation flaw.
  • If an upgrade cannot be performed immediately, configure the device’s web UI (or use a browser extension) to block or disable JavaScript execution for pages accessed after login, thereby mitigating the XSS vector.
  • Instruct users to avoid clicking on untrusted URLs after logging into the device’s web interface, and to employ up‑to‑date browsers that implement robust XSS protections.

Generated by OpenCVE AI on April 18, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Client‑Side Script Injection via URL Parameter on SICK TDC‑X401GL

Fri, 23 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware
CPEs cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*
cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*
Vendors & Products Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sick Ag
Sick Ag tdc-x401gl
Vendors & Products Sick Ag
Sick Ag tdc-x401gl

Thu, 15 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Description Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Sick Tdc-x401gl Tdc-x401gl Firmware
Sick Ag Tdc-x401gl
cve-icon MITRE

Status: PUBLISHED

Assigner: SICK AG

Published:

Updated: 2026-01-15T16:37:50.866Z

Reserved: 2026-01-13T09:11:11.448Z

Link: CVE-2026-22913

cve-icon Vulnrichment

Updated: 2026-01-15T16:37:47.610Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T13:16:06.100

Modified: 2026-01-23T15:30:41.030

Link: CVE-2026-22913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses