CVE-2026-38978
5.3 MEDIUMtransmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths
Published: 2026-06-02 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- CWE
- CWE-113
Description
transmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-38978
- [Other]https://github.com/transmission/transmission/commit/6b24c1c214ec6a44fa5fdff0ce7da6b16d8ecaa8
- [Other]https://github.com/transmission/transmission/issues/8726
- [Other]https://github.com/transmission/transmission/pull/8747
- [Other]https://github.com/transmission/transmission/issues/8726
Related CVEs
Same CWE
- CVE-2026-43966 — Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HT...
- CVE-2026-48596 — Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows ...
- CVE-2026-38967 — CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values (9.8 CRITICAL)
- CVE-2026-47675 — Hono is a Web application framework that provides support for any JavaScript runtime (4.3 MEDIUM)
- CVE-2026-9658 — Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths (7.3 HIGH)