CVE-2026-40813

Vulnerability

The vulnerability is an unauthenticated SQL injection in the getLiveValues function of MB connect line mbCONNECT24/mymbCONNECT24. The tagid parameter is not properly sanitized, allowing an attacker to inject arbitrary SQL into a SELECT command. The exact affected versions are not specified in the available reference, but the advisory indicates multiple SQLi vulnerabilities exist in the product [1].

Exploitation

An attacker can exploit this remotely without authentication by sending a crafted HTTP request to the getLiveValues endpoint with a malicious tagid parameter. No special privileges or user interaction are required. The attacker simply needs network access to the application.

Impact

Successful exploitation leads to arbitrary SQL query execution against the database, resulting in a total loss of confidentiality. The attacker can extract sensitive data from the database [1].

Mitigation

As of the publication date (2026-05-27), no official patch or workaround has been disclosed in the available reference. Administrators should monitor vendor advisories for updates and consider restricting network access to the affected component as a temporary measure [1].