HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55740Published Modified CNA TuranSec

CVE-2026-55740: SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter

Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated attacker can inject arbitrary SQL — for example a UNION-based payload such as busid=-1 UNION SELECT 1,2,3,4,5,6 — to read arbitrary data from the bus_service database. The application connects to the database as the MySQL root account with an empty password, increasing the potential impact. The query is executed via mysqli_query(), which does not permit stacked (semicolon-separated) statements.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

SQL injection in Nur-Alam39 bus-ticket allows a remote, unauthenticated attacker to inject arbitrary SQL through the busid parameter in bus_info.php, which is concatenated directly into a MySQL query without any sanitization or parameterization. The service is reachable over the network and requires no credentials, and the application connects to MySQL as root with an empty password. Successful exploitation gives the attacker full read and write access to the underlying database, as well as the ability to crash or corrupt database state. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-55740 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images derived from the affected codebase.

Available
Triage

Triage is available with a CVSS v4.0 score of 9.3 (Critical), surfaced automatically in each customer's findings dashboard and weighted against their per-environment compliance policy. Routing to the appropriate team inbox within each customer org is supported based on policy configuration.

Available
Patch

Because no fix version has been published for bus-ticket, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over HTTP, so the attacker must be able to reach the service across a network.

  • AuthenticationNot required

    No credentials are needed; the vulnerable bus_info.php endpoint accepts unauthenticated POST requests.

  • Victim interactionNot required

    The attacker sends a crafted HTTP POST request directly to the server; no user interaction is involved.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free: the injection point is a numeric, unquoted parameter that accepts a simple UNION-based payload with no timing, memory layout, or environmental dependencies.

Blast Radius

  • Reads arbitrary rows and columns from the bus_service database, including any stored user credentials, personal information, and booking records.
  • Modifies or deletes persisted database rows, because the application connects as the MySQL root account with an empty password, granting full DML and DDL privileges.
  • Drops or truncates database tables, destroying application data and causing service disruption.
  • Enumerates other databases accessible to the root account on the same MySQL instance, extending the breach beyond the bus_service schema.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for Nur-Alam39 bus-ticket, HarborGuard continuously monitors the advisory and re-evaluates it on every ingest cycle. Images built from or layering this codebase are flagged at Critical severity (CVSS v4.0 9.3) in each customer's findings dashboard. While waiting for an upstream patch, customers can apply compensating controls supported by HarborGuard policy enforcement: network-policy isolation to restrict inbound access to the affected container to trusted sources only, egress filtering to limit database reachability from exposed pods, and feature-flag or ingress-rule gating to disable the bus_info.php route entirely until a fix is available. The moment an upstream patch commit is published, HarborGuard will make a patched-image rebuild available; for customers with auto-remediation enabled, this triggers an automatic rebuild, regression-test run, and a PR opened against affected workloads.

See how HarborGuard automates this
Affected packages
  • Nur-Alam39 / bus-ticket
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References