Skip to main content

Bus Ticket

1 CVEs product

Monthly

CVE-2026-55740 CRITICAL Act Now

Unauthenticated SQL injection in Nur-Alam39's bus-ticket PHP application (no released versions; latest commit 459cabd) allows remote attackers to extract arbitrary data from the bus_service database via the busid POST parameter in bus_info.php. The flaw is exacerbated because the application connects as MySQL root with an empty password. No public exploit identified at time of analysis, though the description includes a working UNION-based payload demonstrating trivial exploitability.

PHP SQLi Bus Ticket
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in Nur-Alam39's bus-ticket PHP application (no released versions; latest commit 459cabd) allows remote attackers to extract arbitrary data from the bus_service database via the busid POST parameter in bus_info.php. The flaw is exacerbated because the application connects as MySQL root with an empty password. No public exploit identified at time of analysis, though the description includes a working UNION-based payload demonstrating trivial exploitability.

PHP SQLi Bus Ticket
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy