VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 27, 2026

CVE-2026-40849

CVE-2026-40849

Description

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the user_alarmprofile view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A low-privilege attacker can exploit an unauthenticated SQL injection in the user_alarmprofile view of MB connect line mbCONNECT24/mymbCONNECT24, leading to total loss of confidentiality.

Vulnerability

An SQL injection vulnerability exists in the user_alarmprofile view of MB connect line mbCONNECT24 and mymbCONNECT24 [1]. The vulnerability is due to improper neutralization of special elements in a SQL SELECT command. This affects an unspecified range of product versions [1]. The issue is classified as CVE-2026-40849 with a CVSS v3 score of 6.5 (Medium) [1].

Exploitation

A low-privileged remote attacker can exploit this vulnerability without requiring any prior authentication [1]. The attacker sends a crafted SQL query to the user_alarmprofile view endpoint. The exact attack vector is not detailed in the available references but relies on the failure to sanitize user input within the SQL command.

Impact

Successful exploitation results in unauthenticated access to the database, leading to a total loss of confidentiality [1]. The attacker can retrieve sensitive data from the database, potentially including but not limited to user credentials, configuration data, and other protected information.

Mitigation

Not yet disclosed in the available references. The advisory [1] does not specify a fixed version or release date. Users should monitor the vendor (MB connect line GmbH) for patches and updates. No workaround is provided in the references.

References
  1. MB connect line: Multiple SQLi vulnerabilities in mbCONNECT24/mymbCONNECT24

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.