CVE-2026-1449
Published: 27 January 2026
Summary
CVE-2026-1449 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-1449 is a SQL injection vulnerability (CWE-74, CWE-89) in the Hisense TransTech Smart Bus Management System versions up to 20260113. The flaw resides in the Page_Load function of the file YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx, where manipulation of the 'key' argument enables SQL injection.
The vulnerability is exploitable remotely by unauthenticated attackers requiring low attack complexity, per its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Attackers can inject malicious SQL payloads via the affected argument to potentially read sensitive data, modify database contents, or disrupt service availability to a limited extent.
Advisories from VulDB and a GitHub issue detail the vulnerability but note no vendor response despite early disclosure contact. An exploit has been published and may be actively used, with no patches or official mitigations available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4735
Vulnerability details
A flaw has been found in Hisense TransTech Smart Bus Management System up to 20260113. Affected is the function Page_Load of the file YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx. Executing a manipulation of the argument key can lead to sql injection. It is possible to…
more
launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (TireMng.aspx) directly enables remote unauthenticated exploitation of the application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs such as the 'key' argument before it reaches SQL statements in TireMng.aspx.
Boundary protection devices or WAF rules can inspect and block SQL injection payloads sent remotely to the affected ASPX endpoint.
System monitoring can identify anomalous SQL syntax or database error patterns indicative of injection attempts against the BusComManagement page.