CVE-2026-55740

Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli query(), which does not permit stacked (semicolon-separated) statements.