Description
Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements.
Published: 2026-06-18
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated SQL injection located in the bus_info.php script of the Nur‑Alam39 bus‑ticket application. User supplied data is read from the busid parameter in an HTTP POST request and concatenated directly into a numeric, unquoted SQL query through the mysqli_query function. Because the query is performed under the MySQL root account with an empty password, a malicious actor can craft payloads such as a UNION SELECT to read arbitrary data from the bus_service database table. No further sanitization is performed, so the application can expose sensitive information stored in the database. This flaw corresponds to CWE‑89, where unsanitized input is used in SQL queries.

Affected Systems

Nur‑Alam39 bus‑ticket, currently without an officially released version; the latest commit pointer referenced in the advisory is 459cabd. The problem exists in the bus_info.php file accessed via the web application.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity impact on confidentiality. The EPSS score of less than 1% suggests a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw is unauthenticated and the database credentials are default root/account with an empty password, attackers can reach the service remotely over HTTP, injecting SQL without authentication to retrieve data from the entire database. The use of mysqli_query without stacked statements limits payload complexity but still permits UNION based extraction. The risk is highest in environments where the application is directly exposed and database access is not properly constrained.

Generated by OpenCVE AI on June 18, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace the vulnerable code with a parameterized query or prepared statement that binds the busid value, ensuring input is treated as a parameter and not executable SQL.
  • Change the MySQL root account credentials to a strong password and create a dedicated database user with the minimum privileges required to query bus_info, thereby reducing the potential impact if the injection is successful.
  • Enforce authentication for all routes that use the bus_info.php endpoint, so only authorized users can access the data, and reject unauthenticated requests at the application or web server level.

Generated by OpenCVE AI on June 18, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements.
Title SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-18T12:59:22.428Z

Reserved: 2026-06-17T12:59:17.621Z

Link: CVE-2026-55740

cve-icon Vulnrichment

Updated: 2026-06-18T12:55:44.762Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')