CVE-2026-55740: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Nur-Alam39 bus-ticket
Nur-Alam39 bus-ticket contains a critical unauthenticated SQL injection vulnerability in the bus_info.php script. The busid parameter is used directly in a SQL query without any sanitization or parameterization, allowing remote attackers to inject arbitrary SQL commands. The application connects to the database as the MySQL root user with an empty password, significantly increasing the potential impact. The vulnerability allows reading arbitrary data from the bus_service database. No patch or remediation guidance is currently provided.
AI Analysis
Technical Summary
The Nur-Alam39 bus-ticket application has an unauthenticated SQL injection vulnerability (CWE-89) in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query without sanitization, escaping, or parameterization, in a numeric context. This enables remote attackers to inject arbitrary SQL, such as UNION-based payloads, to extract data from the bus_service database. The application connects to MySQL as root with an empty password, increasing the severity. The query execution via mysqli_query() disallows stacked queries, limiting some attack vectors. No official remediation or patch is currently available.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries on the backend database, potentially reading sensitive data from the bus_service database. The use of the MySQL root account with no password exacerbates the impact, possibly allowing full database compromise. The vulnerability affects confidentiality, integrity, and availability, as reflected by the CVSS 3.1 score of 9.8 (critical).
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to implement input validation and parameterized queries to prevent SQL injection. Additionally, the database should not be accessed using the root account with an empty password; proper database user privileges and strong authentication should be enforced.
CVE-2026-55740: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Nur-Alam39 bus-ticket
Description
Nur-Alam39 bus-ticket contains a critical unauthenticated SQL injection vulnerability in the bus_info.php script. The busid parameter is used directly in a SQL query without any sanitization or parameterization, allowing remote attackers to inject arbitrary SQL commands. The application connects to the database as the MySQL root user with an empty password, significantly increasing the potential impact. The vulnerability allows reading arbitrary data from the bus_service database. No patch or remediation guidance is currently provided.
CVSS v3.1
Score 9.8critical
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Nur-Alam39 bus-ticket application has an unauthenticated SQL injection vulnerability (CWE-89) in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query without sanitization, escaping, or parameterization, in a numeric context. This enables remote attackers to inject arbitrary SQL, such as UNION-based payloads, to extract data from the bus_service database. The application connects to MySQL as root with an empty password, increasing the severity. The query execution via mysqli_query() disallows stacked queries, limiting some attack vectors. No official remediation or patch is currently available.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries on the backend database, potentially reading sensitive data from the bus_service database. The use of the MySQL root account with no password exacerbates the impact, possibly allowing full database compromise. The vulnerability affects confidentiality, integrity, and availability, as reflected by the CVSS 3.1 score of 9.8 (critical).
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to implement input validation and parameterized queries to prevent SQL injection. Additionally, the database should not be accessed using the root account with an empty password; proper database user privileges and strong authentication should be enforced.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- TuranSec
- Date Reserved
- 2026-06-17T12:59:17.621Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a33875bf198dc38c1370f2b
Added to database: 6/18/2026, 5:51:23 AM
Last enriched: 6/18/2026, 6:05:11 AM
Last updated: 6/18/2026, 6:51:42 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.