CVE-2026-40842

Vulnerability

CVE-2026-40842 is an unauthenticated SQL injection vulnerability in the getWidgetTags function of MB connect line mbCONNECT24 and mymbCONNECT24. The flaw stems from improper neutralization of special elements used in an SQL SELECT command. An attacker with low privileges can trigger this vulnerability without authentication. The affected product versions are not explicitly listed in the reference [1], but the advisory confirms multiple SQLi vulnerabilities in these products.

Exploitation

An attacker must have low-privileged remote access to the mbCONNECT24 or mymbCONNECT24 service. No authentication is required to reach the vulnerable getWidgetTags function. The attacker sends crafted input that is not properly sanitized, allowing injection of arbitrary SQL commands into the SELECT statement. The exploitation does not require user interaction or special network position beyond standard remote connectivity.

Impact

Successful exploitation results in a total loss of confidentiality, as the attacker can read arbitrary data from the underlying database. The impact is limited to information disclosure (data breach) and does not extend to data modification or remote code execution according to the available references.

Mitigation

As of the publication date (2026-05-27), the vendor has not released a patch. The VDE advisory [1] does not list fixed versions or workarounds. Users should monitor the vendor's official channels for updates. If the product reaches end-of-life, upgrade to a supported version is recommended. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at this time.