CVE-2026-40810

Vulnerability

An unauthenticated SQL injection vulnerability exists in the userinfo endpoint of MB connect line's mbCONNECT24 and mymbCONNECT24 products. The flaw stems from improper neutralization of special elements used in a SQL SELECT command. Affected versions are not explicitly listed in the available reference [1], but the advisory covers multiple SQLi vulnerabilities in these products.

Exploitation

An unauthenticated remote attacker can send crafted HTTP requests to the userinfo endpoint. No authentication or prior access is required. The attacker can inject SQL commands into the vulnerable parameter, likely by manipulating input fields that are directly concatenated into the SQL query.

Impact

Successful exploitation results in a total loss of confidentiality, as the attacker can extract arbitrary data from the database. The advisory [1] states that the vulnerabilities allow varying access to the database, but for this specific CVE, the description indicates complete confidentiality compromise.

Mitigation

As of the publication date (2026-05-27), no fixed version has been disclosed in the available reference [1]. Users should monitor the vendor's advisory for patches. No workaround is mentioned. The product may be EOL or pending update; consult MB connect line for specific version information.