Description
An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data.
Published: 2026-01-15
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

An attacker with administrative access to the Sick TDC‑X401GL system is able to inject malicious code into the device’s login page. This flaw is a classic cross‑site scripting vulnerability that could allow the attacker to execute arbitrary scripts in the context of users who view the page, potentially leading to the theft of sensitive information. The core weakness is improper input validation in the login page rendering process, identified as CWE‑79.

Affected Systems

SICK AG’s TDC‑X401GL line, including all firmware and software builds that have not been updated to the latest release (1.5.0 or later). No specific firmware version range is provided, but the recommendation indicates that versions older than 1.5.0 are impacted.

Risk and Exploitability

The CVSS score of 3.8 classifies the problem as low to moderate severity. The estimated EPSS score of less than 1 % suggests that real‑world exploitation is unlikely at this time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires privileged administrative access to the device, so the attack surface is limited to environments where such credentials exist. Once accessed, an attacker could place malicious script fragments into the login page, which would run in the browsers of any users who view the page, enabling the extraction of credentials or other confidential data.

Generated by OpenCVE AI on April 18, 2026 at 06:08 UTC.

Remediation

Vendor Solution

Users are strongly recommended to upgrade to the latest release of TDC-X401GL (>= 1.5.0).

OpenCVE Recommended Actions

  • Update the TDC‑X401GL firmware to version 1.5.0 or later, following the vendor’s upgrade instructions.
  • Remove any unauthorized modifications to the login page and ensure that only the officially supplied page is served.
  • Restrict administrative access by enforcing multifactor authentication and least‑privilege principles, reducing the likelihood that an attacker can inject malicious content.

Generated by OpenCVE AI on April 18, 2026 at 06:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Sick TDC‑X401GL Login Page

Fri, 23 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware
CPEs cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*
cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*
Vendors & Products Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sick Ag
Sick Ag tdc-x401gl
Vendors & Products Sick Ag
Sick Ag tdc-x401gl

Thu, 15 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Description An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Sick Tdc-x401gl Tdc-x401gl Firmware
Sick Ag Tdc-x401gl
cve-icon MITRE

Status: PUBLISHED

Assigner: SICK AG

Published:

Updated: 2026-01-15T14:34:02.134Z

Reserved: 2026-01-13T09:11:12.759Z

Link: CVE-2026-22919

cve-icon Vulnrichment

Updated: 2026-01-15T14:33:57.508Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T13:16:06.923

Modified: 2026-01-23T18:39:18.893

Link: CVE-2026-22919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses