Sick
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Sick product.
RSS Feeds for Sick security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Sick products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Sick Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 30 vulnerabilities in Sick with an average score of 5.9 out of ten. Last year, in 2025 Sick had 24 security vulnerabilities published. That is, 6 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.44.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 30 | 5.90 |
| 2025 | 24 | 5.47 |
| 2024 | 1 | 8.80 |
| 2023 | 2 | 8.60 |
| 2022 | 9 | 8.31 |
| 2021 | 3 | 8.23 |
It may take a day or so for new Sick vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Sick Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-2331 | Mar 06, 2026 |
AppEngine HTTP FileAccess Unauth R/W Enables Config File LeakAn attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment. |
|
| CVE-2026-2330 | Mar 06, 2026 |
SICK CROWN REST interface fails whitelist arbitrary filesystem accessAn attacker may access restricted filesystem areas on the device via the CROWN REST interface due to incomplete whitelist enforcement. Certain directories intended for internal testing were not covered by the whitelist and are accessible without authentication. An unauthenticated attacker could place a manipulated parameter file that becomes active after a reboot, allowing modification of critical device settings, including network configuration and application parameters. |
|
| CVE-2026-1627 | Feb 27, 2026 |
SICK AG Device SSH Weak MAC ExploitAn attacker may exploit the use of outdated and weak MAC algorithms in the devices SSH service to potentially compromise the integrity of the SSH session, allowing manipulation of transmitted data if the attacker can interact with the network traffic. |
|
| CVE-2026-1626 | Feb 27, 2026 |
Weak CBC Cipher Suites in SICK AG SSH Service Enable EavesdroppingAn attacker may exploit the use of weak CBC-based cipher suites in the devices SSH service to potentially observe or manipulate parts of the encrypted SSH communication, if they are able to intercept or interact with the network traffic. |
|
| CVE-2026-22646 | Jan 15, 2026 |
SICK AG: Error Message Info Leakage Enables ReconnaissanceCertain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal structure and discover other, more critical vulnerabilities. |
|
| CVE-2026-22645 | Jan 15, 2026 |
SICK AG App Leaks Component Versions to Unauth ActorsThe application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components. |
|
| CVE-2026-22644 | Jan 15, 2026 |
Auth Token Exposure via URL Query in SICK AG Web AppCertain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access. |
|
| CVE-2026-22643 | Jan 15, 2026 |
CVE-2026-22643 |
|
| CVE-2026-22642 | Jan 15, 2026 |
CVE-2026-22642 |
|
| CVE-2026-22641 | Jan 15, 2026 |
CVE-2026-22641 |
|
| CVE-2026-22640 | Jan 15, 2026 |
CVE-2026-22640 |
|
| CVE-2026-22639 | Jan 15, 2026 |
CVE-2026-22639 |
|
| CVE-2026-22638 | Jan 15, 2026 |
CVE-2026-22638 |
|
| CVE-2026-22637 | Jan 15, 2026 |
CVE-2026-22637 |
|
| CVE-2026-0713 | Jan 15, 2026 |
CVE-2026-0713 |
|
| CVE-2026-0712 | Jan 15, 2026 |
CVE-2026-0712 |
|
| CVE-2026-22920 | Jan 15, 2026 |
SICK AG Device Password Salting Flaw (CVE-2026-22920)The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks. |
|
| CVE-2026-22919 | Jan 15, 2026 |
SICK AG: XSS via Admin-Injected Login Page ContentAn attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data. |
|
| CVE-2026-22918 | Jan 15, 2026 |
SICK AG Web UI Clickjacking (CVE-2026-22918)An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data. |
|
| CVE-2026-22917 | Jan 15, 2026 |
SICK AG DDOS via Improper Input in System EndpointImproper input handling in a system endpoint may allow attackers to overload resources, causing a denial of service. |
|
| CVE-2026-22916 | Jan 15, 2026 |
SICK AG Device: Low-Privilege Reboot/Factory Reset ExploitAn attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration. |
|
| CVE-2026-22915 | Jan 15, 2026 |
SICK AG device LFR via low-privilege (CVE-2026-22915)An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information. |
|
| CVE-2026-22914 | Jan 15, 2026 |
Limited-Perm Attack Lets Write Files on SICK AG IoT DeviceAn attacker with limited permissions may still be able to write files to specific locations on the device, potentially leading to system manipulation. |
|
| CVE-2026-22913 | Jan 15, 2026 |
SICK iPort XSS via URL ParameterImproper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data. |
|
| CVE-2026-22912 | Jan 15, 2026 |
SICK AG login param redirect leads to phishing post-authImproper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users. |
|
| CVE-2026-22911 | Jan 15, 2026 |
Firmware Update Exposes Password Hashes - Remote Credential Theft CVE-2026-22911Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device. |
|
| CVE-2026-22910 | Jan 15, 2026 |
SICK AG Device Exposes Hidden User Levels via Default PasswordsThe device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system. |
|
| CVE-2026-22909 | Jan 15, 2026 |
SICK AG Unauthorized Access Enables App Control on Safety ControllersCertain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations. |
|
| CVE-2026-22908 | Jan 15, 2026 |
Unvalidated Container Image Upload Allows RCE in SICK AG SoftwareUploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality. |
|
| CVE-2026-22907 | Jan 15, 2026 |
SICK AG: Host FS Access vuln (CVE-2026-22907)An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data. |
|
| CVE-2025-59463 | Oct 27, 2025 |
Chunk-Size Mismatch in File Transfer Causes Transfer FailureAn attacker may cause chunk-size mismatches that block file transfers and prevent subsequent transfers. |
Tloc100 100
|
| CVE-2025-59462 | Oct 27, 2025 |
C++ CLI tampering crashes UpdateService, disrupting updatesAn attacker who tampers with the C++ CLI client may crash the UpdateService during file transfers, disrupting updates and availability. |
Tloc100 100
|
| CVE-2025-59461 | Oct 27, 2025 |
Remote unauthenticated access via C++ APIA remote unauthenticated attacker may use the unauthenticated C++ API to access or modify sensitive data and disrupt services. |
Tloc100 100
|
| CVE-2025-59460 | Oct 27, 2025 |
Unknown Product Default Config Enables Unauthorised ConnectionsThe system is deployed in its default state, with configuration settings that do not comply with the latest best practices for restricting access. This increases the risk of unauthorised connections. |
Tloc100 100
|
| CVE-2025-59459 | Oct 27, 2025 |
OpenSSH unprivileged account allows persistent SSH/Service DoSAn attacker that gains SSH access to an unprivileged account may be able to disrupt services (including SSH), causing persistent loss of availability. |
Tloc100 100
|
| CVE-2025-10561 | Oct 27, 2025 |
Outdated OS Vulnerability on Unknown Device |
Tloc100 100
|
| CVE-2025-58579 | Oct 06, 2025 |
Unauthenticated Endpoint Enables User EnumerationDue to a lack of authentication, it is possible for an unauthenticated user to request data from this endpoint, making the application vulnerable for user enumeration. |
|
| CVE-2025-58591 | Oct 06, 2025 |
Remote Brute Force FOF Disclosure for Private KeysA remote, unauthorized attacker can brute force folders and files and read them like private keys or configurations, making the application vulnerable for gathering sensitive information. |
|
| CVE-2025-58590 | Oct 06, 2025 |
Directory Listing Brute-Force Vulnerability (CVE-2025-58590)It's possible to brute force folders and files, what can be used by an attacker to steal sensitve information. |
|
| CVE-2025-58589 | Oct 06, 2025 |
Stacktrace Disclosure Reveals Class & Method NamesWhen an error occurs in the application a full stacktrace is provided to the user. The stacktrace lists class and method names as well as other internal information. An attacker thus receives information about the technology used and the structure of the application. |
|
| CVE-2025-58587 | Oct 06, 2025 |
Unknown Product: Brute-Force Attacks via Missing Auth ThrottlingThe application does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it possible for an attacker to guess user credentials. |
|
| CVE-2025-58586 | Oct 06, 2025 |
Username Enumeration via ErrMsg in Login Auth SystemFor failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one. |
|
| CVE-2025-58585 | Oct 06, 2025 |
Auth Bypass: Unauth Endpoints Leak Sensitive InfoMultiple endpoints with sensitive information do not require authentication, making the application susceptible to information gathering. |
|
| CVE-2025-58584 | Oct 06, 2025 |
CVE-2025-58584: Credentials in URL Leak via LogsIn the HTTP request, the username and password are transferred directly in the URL as parameters. However, URLs can be stored in various systems such as server logs, browser histories or proxy servers. As a result, there is a high risk that this sensitive data will be disclosed unintentionally. |
|
| CVE-2025-58583 | Oct 06, 2025 |
Unauth H2 DB Access via Prefilled UsernameThe application provides access to a login protected H2 database for caching purposes. The username is prefilled. |
|
| CVE-2025-58582 | Oct 06, 2025 |
Large-Size Unvalidated POST Trigger Log Injection DoS (CVE-2025-58582)If a user tries to login but the provided credentials are incorrect a log is created. The data for this POST requests is not validated and its possible to send giant payloads which are then logged. |
|
| CVE-2025-58581 | Oct 06, 2025 |
Info Exposure: Stacktrace Leak in Java AppWhen an error occurs in the application a full stacktrace is provided to the user. The stacktrace lists class and method names as well as other internal information. An attacker can thus obtain information about the technology used and the structure of the application. |
|
| CVE-2025-58580 | Oct 06, 2025 |
API POST Endpoint Enabling Arbitrary Log Entry InjectionAn API endpoint allows arbitrary log entries to be created via POST request. Without sufficient validation of the input data, an attacker can create manipulated log entries and thus falsify or dilute logs, for example. |
|
| CVE-2025-58578 | Oct 06, 2025 |
Unrestricted User Account Creation via API Endpoint (CVE-2025-58578)A user with the appropriate authorization can create any number of user accounts via an API endpoint using a POST request. There are no quotas, checking mechanisms or restrictions to limit the creation. |
|
| CVE-2025-9914 | Oct 06, 2025 |
Local DB Credential Leak Enables Unauthorized AccessThe credentials of the users stored in the system's local database can be used for the log in, making it possible for an attacker to gain unauthorized access. This could potentially affect the confidentiality of the application. |