CVE-2026-55740
Received Received - Intake
Unauthenticated SQL Injection in Nur-Alam39 Bus-Ticket System

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL β€” for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 β€” to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-55740
EUVD
EUVD-2026-37851
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nur-alam39 bus-ticket *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an unauthenticated SQL injection in the bus_info.php file of the Nur-Alam39 bus-ticket system. The busid parameter, received via HTTP POST, is directly concatenated into a MySQL query without any sanitization, escaping, or parameterization. Because the query is constructed in a numeric context without quotes, an attacker can inject arbitrary SQL code, such as a UNION-based payload, to read data from the bus_service database.

The application connects to the database as the MySQL root user with an empty password, which significantly increases the potential impact of this vulnerability. The query is executed using mysqli_query(), which does not allow multiple semicolon-separated statements, but the injection still allows data extraction.

Impact Analysis

This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL queries on the bus_service database. This can lead to unauthorized disclosure of sensitive data stored in the database.

Because the database connection uses the MySQL root account with no password, the attacker could potentially access or manipulate all data within the database, leading to data breaches, data loss, or unauthorized data modification.

Detection Guidance

This vulnerability can be detected by testing the bus_info.php endpoint for SQL injection via the busid parameter sent through HTTP POST requests.

A common detection method is to send specially crafted SQL injection payloads in the busid parameter and observe the response for unexpected data or errors.

  • Use curl to send a POST request with a SQL injection payload, for example: curl -X POST -d "busid=-1 UNION SELECT 1,2,3,4,5,6" http://target-domain/bus_info.php
  • Monitor the HTTP response for data that indicates successful injection, such as additional rows or database error messages.
  • Use automated SQL injection detection tools like sqlmap targeting the bus_info.php endpoint with the busid parameter.
Mitigation Strategies

Immediate mitigation steps include sanitizing and parameterizing the busid input to prevent SQL injection.

Specifically, use prepared statements with parameterized queries instead of directly concatenating user input into SQL queries.

Additionally, change the database connection to use a non-root user with a strong password and least privileges necessary.

If possible, restrict access to the bus_info.php endpoint to trusted users or networks until a proper fix is implemented.

Review and update the code to validate and sanitize all user inputs before using them in database queries.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to perform SQL injection attacks, potentially exposing arbitrary data from the bus_service database.

Such unauthorized data access can lead to breaches of confidentiality, integrity, and availability of sensitive information.

This exposure and lack of proper access control and input validation can result in non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Additionally, the use of the MySQL root account with no password further increases the risk of data compromise, exacerbating compliance issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart