CVE-2026-40835

Vulnerability

The vulnerability resides in the saveObjectFromData function of MB connect line's mbCONNECT24 and mymbCONNECT24 products [1]. Due to improper neutralization of special elements in a SQL SELECT command, an attacker can inject arbitrary SQL queries. The affected versions are those covered by the vendor advisory [1]; specific version numbers are not disclosed in the available references.

Exploitation

A remote attacker with low privileges can exploit this vulnerability without requiring authentication [1]. The attacker sends crafted input to the saveObjectFromData function, which is processed in an SQL SELECT statement. The lack of input sanitization allows the attacker to manipulate the query, enabling extraction of database contents.

Impact

Successful exploitation results in a total loss of confidentiality [1]. The attacker can read arbitrary data from the database, potentially including sensitive information such as user credentials, configuration details, or other protected data. The advisory [1] confirms varying access to the database, with this specific CVE leading to full confidentiality compromise.

Mitigation

As of the publication date (2026-05-27), no patch or workaround has been released [1]. Users are advised to monitor the vendor advisory [1] for updates and apply any future fixes promptly. No mitigation details are available in the current references.