VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 27, 2026

CVE-2026-40847

CVE-2026-40847

Description

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An SQL injection in the system_tag view of mbCONNECT24/mymbCONNECT24 allows low-privileged remote attackers to read arbitrary database contents, leading to total confidentiality loss.

Vulnerability

An improper neutralization of special elements in a SQL SELECT command exists in the system_tag view of MB connect line mbCONNECT24 and mymbCONNECT24. This allows an attacker with low privileges to inject malicious SQL queries. The affected product versions are not explicitly disclosed in the available references [1].

Exploitation

A remote attacker with low privileges can exploit this vulnerability by sending crafted input to the system_tag view without the need for additional authentication. The attacker can inject arbitrary SQL commands into the SELECT statement, enabling retrieval of database contents [1].

Impact

Successful exploitation results in a total loss of confidentiality. The attacker can read all data stored in the database, including sensitive information such as user credentials and configuration details [1].

Mitigation

As of the advisory publication date (2026-05-27), no official patch has been released by MB connect line GmbH. Users are advised to monitor vendor announcements and apply updates as soon as they become available. No workarounds have been disclosed in the referenced advisory [1].

References
  1. MB connect line: Multiple SQLi vulnerabilities in mbCONNECT24/mymbCONNECT24

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.