CVE Catalog

CVE-2026-55740

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

28th percentile — higher than 28% of all known CVEs

Summary

The Nur-Alam39 bus-ticket application contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is directly concatenated into a MySQL query without sanitization, allowing a remote attacker to inject arbitrary SQL.

Risk Assessment

This vulnerability allows an unauthenticated attacker to read arbitrary data from the bus_service database. Additionally, the application connects to the database as the MySQL root account with an empty password, increasing the risk.

Recommendation

It is recommended to implement proper sanitization and parameterization of SQL queries and to secure the database account with a strong password. Access to the database should also be restricted.

Original NVD description (English source)

Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS