CVE-2026-55740
SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter
Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL โ for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 โ to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements.
| CWE | CWE-89 |
| Vendor | nur-alam39 |
| Product | bus-ticket |
| Published | Jun 18, 2026 |
Get instant alerts for nur-alam39 bus-ticket
Be the first to know when new critical vulnerabilities affecting nur-alam39 bus-ticket are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H