VYPR
← All advisories
High severity7.5NVD Advisory· Published May 27, 2026

CVE-2026-40850

CVE-2026-40850

Description

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated remote SQL injection in mbCONNECT24/mymbCONNECT24's getAccountData function allows full database access, leading to total confidentiality loss.

Vulnerability

The vulnerability is an unauthenticated SQL injection in the getAccountData function of MB connect line's mbCONNECT24 and mymbCONNECT24 products. Improper neutralization of special elements in a SQL SELECT command allows an attacker to inject arbitrary SQL queries. The affected product versions are not explicitly listed in the available reference [1], but the advisory confirms multiple SQLi vulnerabilities exist across these products.

Exploitation

An unauthenticated remote attacker can exploit this vulnerability without any prior authentication or user interaction. The attacker only needs network access to the affected service. By crafting a malicious input to the getAccountData function, the attacker can execute arbitrary SQL commands on the backend database.

Impact

Successful exploitation results in a total loss of confidentiality, as the attacker can retrieve any data stored in the database. The advisory [1] indicates varying access to the database, but the CVE description specifically states total loss of confidentiality.

Mitigation

As of the publication date (2026-05-27), the vendor has not released a patch. Users should monitor the advisory [1] for updates and apply any fixes as soon as they become available. No workarounds are mentioned.

References
  1. MB connect line: Multiple SQLi vulnerabilities in mbCONNECT24/mymbCONNECT24

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.