CVE-2026-40833

Vulnerability

A SQL injection vulnerability exists in the saveDashboardLayout function of dash.php in MB connect line mbCONNECT24/mymbCONNECT24. The flaw arises from improper neutralization of special elements used in a SQL INSERT command. While authentication is normally required, the injection is exploitable without prior authentication due to the way the function processes user input. The exact affected versions are not detailed in the available references, but the vendor advisory confirms multiple SQLi vulnerabilities in the product [1].

Exploitation

An attacker with low privileges (or even unauthenticated, due to the nature of the vulnerability) can send crafted input to the saveDashboardLayout endpoint. No special network position is required beyond network access to the web interface. The attacker injects SQL commands into a parameter that is used in an INSERT statement, leading to execution of arbitrary SQL. The exploitation does not require user interaction [1].

Impact

Successful exploitation allows the attacker to read the entire database, leading to total loss of confidentiality. Additionally, the attacker can insert entries into a non-critical table, causing some loss of integrity. The impact does not extend to full system compromise or privilege escalation [1].

Mitigation

The vendor has not yet released a patch as of the publication date (2026-05-27). The advisory [1] does not specify a fixed version or workaround. Until a fix is available, organizations should restrict network access to the web interface and monitor for suspicious activity. There is no mention of the vulnerability being listed in CISA KEV.