CVE-2026-55740
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
The Nur-Alam39 bus-ticket application contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is directly concatenated into a MySQL query without sanitization, allowing a remote attacker to inject arbitrary SQL.
Risk Assessment
This vulnerability allows an unauthenticated attacker to read arbitrary data from the bus_service database. Additionally, the application connects to the database as the MySQL root account with an empty password, increasing the risk.
Recommendation
It is recommended to implement proper sanitization and parameterization of SQL queries and to secure the database account with a strong password. Access to the database should also be restricted.
Original NVD description (English source)
Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements.

