Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
transmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths.
AnalysisAI
Transmission BitTorrent client through version 4.1.1 fails to emit anti-clickjacking HTTP response headers on its browser-facing WebUI and RPC endpoint, enabling an attacker to embed the interface in a cross-origin iframe and redirect authenticated user interactions to unintended RPC actions. The fix confirmed in upstream PR #8747 adds both X-Frame-Options: SAMEORIGIN and Content-Security-Policy: frame-ancestors 'self' to all relevant responses. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) indicates low current exploitation interest.
Technical ContextAI
Transmission includes a built-in HTTP server (libtransmission/rpc-server.cc) that serves a browser-based WebUI and JSON-RPC endpoint, typically on TCP port 9091. The vulnerability exists because HTTP responses from this server omit framing-control headers, allowing any cross-origin page to load the interface in an iframe without browser enforcement. The assigned CWE is CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers), which describes HTTP response splitting via injected headers - this appears to be an imprecise classification for a missing-header clickjacking issue, which more accurately maps to CWE-1021 (Improper Restriction of Rendered UI Layers or Frames). The upstream fix in commit 6b24c1c214ec6a44fa5fdff0ce7da6b16d8ecaa8 adds evhttp_add_header calls emitting X-Frame-Options: SAMEORIGIN (for legacy browser compatibility) and Content-Security-Policy: frame-ancestors 'self' (for modern browsers), consistent with OWASP Clickjacking Defense Cheat Sheet guidance referenced in the patch comments. The CPE data provided (cpe:2.3:a:n/a:n/a) is non-specific and not useful for inventory matching - affected versions must be identified directly from the Transmission project.
RemediationAI
An upstream fix is available via GitHub PR #8747 (https://github.com/transmission/transmission/pull/8747) and commit 6b24c1c214ec6a44fa5fdff0ce7da6b16d8ecaa8 - however, a released patched version is not independently confirmed from the provided data; monitor the Transmission releases page for an official tagged version incorporating this commit before deploying. As an immediate compensating control, restrict access to the Transmission RPC/WebUI port (default TCP 9091) to localhost or a specific trusted internal subnet using host-based firewall rules (e.g., iptables, ufw, or Windows Firewall); this eliminates the cross-origin reachability that clickjacking requires, with the trade-off of removing remote WebUI access. Enabling Transmission's built-in HTTP authentication adds a credential barrier and reduces passive session exposure, but does not mitigate clickjacking against an already-authenticated session. Do not expose TCP 9091 directly to the internet without the patched headers in place.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-113 – HTTP Response Splitting
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33971
GHSA-6rg3-8m29-j28q