CVE-2026-40829

Vulnerability

The vulnerability is an unauthenticated SQL injection in the UpdateParam function of view.html.php files in MB connect line mbCONNECT24/mymbCONNECT24 [1]. Improper neutralization of special elements in a SQL UPDATE command allows a high-privileged remote attacker to inject arbitrary SQL. The affected product versions are not explicitly listed in the available references, but the advisory [1] confirms multiple SQLi vulnerabilities in these products.

Exploitation

An attacker with high privileges (e.g., administrative access) can send crafted input to the UpdateParam function. The function fails to sanitize special elements in the SQL UPDATE command, enabling the attacker to inject arbitrary SQL statements. The attacker can then execute commands to read the entire database and modify values in non-critical tables. No additional user interaction is required beyond the attacker's existing high-privileged session.

Impact

Successful exploitation leads to total loss of confidentiality (full database read access) and partial loss of integrity (modification of non-critical table values). The attacker can exfiltrate sensitive data and alter non-critical data, but write access is limited to non-critical tables.

Mitigation

As of the publication date (2026-05-27), no fixed version or patch has been released by MB connect line GmbH [1]. Users should monitor the vendor's advisory for updates. No workarounds are documented. The CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog.