Description
An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data.
Published: 2026-01-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data extraction via clickjacking
Action: Mitigate
AI Analysis

Impact

The R4E vulnerability arises because the TDC‑X401GL device lacks adequate clickjacking protection. By serving web pages that can be embedded in an attacker‑controlled frame, a malicious site could trick a legitimate user into executing unintended actions. This can result in the unauthorized disclosure of sensitive configuration or operational data without the user’s knowledge.

Affected Systems

The flaw affects SICK AG’s TDC‑X401GL line, including both hardware and its accompanying firmware as identified in the CNA vendor listing. No specific firmware versions are listed, so all currently deployed devices may be vulnerable.

Risk and Exploitability

The CVSS base score is 4.3, indicating low severity, while the EPSS score is below 1%, suggesting rare exploitation. The vulnerability is not present in CISA’s KEV catalog. Proof‑of‑concept attacks only require a malicious web page and a user’s interaction, making the attack vector remote but dependent on user activity. No publicly available exploits are known, yet the potential for confidential data leakage remains.

Generated by OpenCVE AI on April 18, 2026 at 06:09 UTC.

Remediation

Vendor Workaround

Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources "SICK Operating Guidelines" and "ICS-CERT recommended practices on Industrial Security" could help to implement the general security practices.

OpenCVE Recommended Actions

  • Ensure that only trusted and authorized entities have network or physical access to the TDC‑X401GL device.
  • Configure the device’s web interface to send the X‑Frame‑Options header or use frame‑busting scripts to prevent the page from being embedded in frames.
  • Follow the SICK Operating Guidelines and adhere to industry recommendations for industrial security provided by ITCS to strengthen overall protection.

Generated by OpenCVE AI on April 18, 2026 at 06:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Title Missing Clickjacking Protection Allows Sensitive Data Extraction

Fri, 23 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware
CPEs cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*
cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*
Vendors & Products Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sick Ag
Sick Ag tdc-x401gl
Vendors & Products Sick Ag
Sick Ag tdc-x401gl

Thu, 15 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Description An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data.
Weaknesses CWE-1021
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Sick Tdc-x401gl Tdc-x401gl Firmware
Sick Ag Tdc-x401gl
cve-icon MITRE

Status: PUBLISHED

Assigner: SICK AG

Published:

Updated: 2026-01-15T14:36:41.215Z

Reserved: 2026-01-13T09:11:12.759Z

Link: CVE-2026-22918

cve-icon Vulnrichment

Updated: 2026-01-15T14:36:36.655Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T13:16:06.790

Modified: 2026-01-23T18:41:25.670

Link: CVE-2026-22918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses