VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 27, 2026

CVE-2026-40845

CVE-2026-40845

Description

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A low-privileged remote attacker can exploit an unauthenticated SQL injection in mbCONNECT24's devices_configuration view to leak the entire database, causing total loss of confidentiality.

Vulnerability

An SQL injection vulnerability exists in the devices_configuration view of mbCONNECT24/mymbCONNECT24 due to improper neutralization of special elements in a SQL SELECT command [1]. Affected versions are not specified in the available references, but the advisory [1] indicates multiple SQLi vulnerabilities in the product. The vulnerability allows an attacker to inject arbitrary SQL queries.

Exploitation

An attacker with low privileges can remotely exploit the vulnerability remotely. The injection is unauthenticated, meaning no prior authentication is needed. The attacker sends crafted input to the devices_configuration view, which is not sanitized, leading to execution of attacker-controlled SQL commands [1].

Impact

Successful exploitation results in a total loss of confidentiality, as the attacker can read arbitrary data from the database [1]. The impact is limited to confidentiality; integrity and availability are not affected according to the description.

Mitigation

No fix or mitigation is disclosed in the available references [1]. The vendor (MB connect line GmbH) has not released a patched version as of the advisory date. Users should monitor vendor updates for patches. No workaround is provided.

References
  1. MB connect line: Multiple SQLi vulnerabilities in mbCONNECT24/mymbCONNECT24

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.