A clickjacking flaw exists in the transmission WebUI and in RPC responses that can allow an attacker to trick users into clicking on elements they do not intend, potentially lifting control of the application workflow. This weakness does not provide direct code execution but can result in unintended actions performed by the web interface, compromising user intent. The flaw is identified as a typical iframe or overlay attack surface, which violates the confidentiality and integrity of user interactions.

The vulnerability affects Transmission versions up to and including 4.1.1. Users running any of these releases expose the WebUI endpoint and RPC call format to exploitation. Versions newer than 4.1.1 are not stated as affected, implying the fix is likely present in later releases.

The CVSS or EPSS scores are not available, so an exact severity level cannot be quantified from the data provided. Because the vulnerability relies on a browser component, an attacker would need to trick the user into visiting a malicious site that frames the targeted Transmission interface or to inject malicious client requests to the RPC endpoint. No known exploitation package has been reported, and the vulnerability is not listed in the CISA KEV catalog. The lack of publicly disclosed exploitation suggests a lower short‑term risk, but the nature of clickjacking makes any authenticated or unauthenticated user susceptible if the interface is exposed to untrusted networks.