CVE-2026-40844

Vulnerability

An unauthenticated SQL injection vulnerability exists in the dashboard view of mbCONNECT24 and mymbCONNECT24 due to improper neutralization of special elements in a SQL SELECT command [1]. The vulnerability can be exploited by a low-privileged remote attacker without requiring authentication. Affected versions are not specified in the available advisory, but the product family includes mbCONNECT24 and mymbCONNECT24 [1].

Exploitation

An attacker with network access to the affected system can send crafted input to the dashboard view's SQL query parameters. No authentication or user interaction is required. The attacker can inject arbitrary SQL commands into the SELECT statement, extracting data from the database [1].

Impact

Successful exploitation results in a total loss of confidentiality, as the attacker can read arbitrary data from the database, including potentially sensitive information [1]. The advisory notes varying access to the database depending on the specific SQLi vulnerability [1].

Mitigation

As of the publication date (2026-05-27), no official fix or version is disclosed in the available reference. Users should monitor the vendor's advisory for patch information and consider restricting network access to the dashboard view as a workaround [1].