CVE-2026-40848

Vulnerability

An unauthenticated SQL injection vulnerability exists in the tag view component of MB connect line mbCONNECT24 and mymbCONNECT24 due to improper neutralization of special elements used in a SQL SELECT command [1]. The affected product versions are not explicitly listed in the references, but the advisory notes multiple SQLi vulnerabilities in these products [1]. A remote attacker with low privileges can exploit this flaw without authentication by sending a crafted request to the tag view endpoint.

Exploitation

An attacker requires network access to the application and a low-privileged session (or no authentication at all, as described) [1]. The specific sequence involves crafting a malicious SQL query within the SELECT statement used by the tag view, bypassing input sanitization. The advisory does not provide further technical steps but confirms the vulnerability is remotely exploitable [1].

Impact

Successful exploitation results in total loss of confidentiality [1]. The attacker can read arbitrary data from the database, including sensitive information stored in mbCONNECT24/mymbCONNECT24. The impact is limited to confidentiality; integrity and availability are not directly affected [1].

Mitigation

Not yet disclosed in the available references. The advisory notes that multiple SQLi vulnerabilities were published on 2026-05-27, but no fixed version or workaround is provided [1]. Users should monitor vendor updates for patches and restrict network access to the affected systems as a temporary measure.