1. Home
  2. Vulnerabilities
  3. CVE-2026-55740
9.8
CRITICAL CVSS 3.1
CVE-2026-55740
SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter
Overview
Description

Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements.

Details
INFO

Published Date :

June 18, 2026, 5:48 a.m.

Last Modified :

June 18, 2026, 5:48 a.m.

Remotely Exploit :

Yes !

Source :

TuranSec
Impact
Affected Products

The following products are affected by CVE-2026-55740 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
CVSS 4.0 CRITICAL 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Solution
Fix SQL injection by parameterizing queries and restricting database privileges.
  • Use prepared statements with parameterized queries.
  • Avoid direct SQL query concatenation.
  • Limit MySQL root account privileges.
  • Validate and sanitize all user inputs.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-55740 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 9.3
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact