By severity

Low-severity vulnerabilities

CVEs rated Low by CVSS, with SEC.co remediation and prioritization guidance.

105 published vulnerabilities · page 2 of 2

  • CVE-2026-49317LOW 2.4

    The 2025 Indian Motorcycle Scout Bobber + Tech infotainment system has a logic flaw in how it initializes during boot. The system is supposed to require a PIN to unlock, but it uses a problematic shortcut: it checks whether it detects wireless messages from the motorcycle's Wireless Control Module (WCM) during startup. If those messages are absent, the system assumes no immobilizer is present and skips the PIN screen entirely, granting immediate access to the infotainment interface. An attacker with adjacent network access can silence the WCM during the boot window—using techniques like a CAN bus-off attack—to trick the system into thinking the immobilizer is not installed, thereby bypassing the PIN protection that should guard the interface.

  • CVE-2026-49318LOW 2.4

    A flaw in the 2025 Indian Motorcycle Scout Bobber + Tech's infotainment system allows someone with physical proximity to the motorcycle to unlock the digital display without entering the correct PIN. The system incorrectly assumes that if it doesn't detect wireless signals from a control module during startup, no security PIN is needed. An attacker can exploit this by blocking those signals during the boot process, causing the system to skip the PIN screen entirely and display the full user interface.

  • CVE-2026-50266LOW 2.2

    A flaw in OpenStack Neutron versions before 28.0.1 allows project managers to perform network spoofing attacks on shared networks. The vulnerability stems from overly permissive role-based access control (RBAC) policies that allow any project manager to create or modify ports on networks they don't own, and crucially, to assign those ports special "trusted" network service identities (like DHCP servers). This bypasses normal anti-spoofing rules and security group protections, enabling attackers to spoof DHCP, MAC, or IP addresses to target other tenants sharing the same network. This is a reintroduction of a vulnerability that was supposedly fixed nearly a decade ago.

  • CVE-2026-45403LOW 2.0

    AnythingLLM versions before 1.13.0 contain a path traversal vulnerability in the agent filesystem copy tool. When copying files, the application only validates the top-level source and destination directories but fails to validate nested files or reject symbolic links. An attacker with high privileges could create or exploit a symlink nested within an allowed source directory to read files outside the intended filesystem boundaries and copy them to an allowed destination, potentially exposing sensitive data. The vulnerability requires high user privileges, complex conditions, and user interaction to exploit, making practical real-world abuse unlikely despite the core weakness.

  • CVE-2026-47713LOW 2.0

    AnythingLLM versions before 1.13.0 contain a token persistence flaw that can leak sensitive data when administrators migrate from single-user to multi-user mode. A mobile device token issued in single-user mode may remain valid after the migration, allowing it to bypass user-scoping controls and access workspaces and chat content belonging to other users. The vulnerability requires an attacker to have had a legitimate mobile device token before the migration, then exploit it post-migration in the multi-user environment.