Home

Description

Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements.

PUBLISHED Reserved 2026-06-17 | Published 2026-06-18 | Updated 2026-06-18 | Assigner TuranSec




CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
affected

Credits

Eshmurzayev Abbos finder

References

github.com/...beb99c00225b26e46e3c2c30ae1de7bad/bus_info.php (Vulnerable code: bus_info.php (busid concatenated into SQL)) technical-description

github.com/Nur-Alam39/bus-ticket product

cve.org (CVE-2026-55740)

nvd.nist.gov (CVE-2026-55740)

Download JSON