Skip to main content

CVE-2026-40844

| EUVDEUVD-2026-32143 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-q469-xwpc-2xr4
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:24 vuln.today

DescriptionCVE.org

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AnalysisAI

SQL injection in the dashboard view of MB connect line's remote-maintenance portals (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual) lets a remote, low-privileged user inject crafted input into a SQL SELECT statement, yielding a total loss of confidentiality of the backend database. All versions up to and including 2.20.0 are affected. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), but the network-reachable, low-complexity nature of the flaw in internet-facing OT remote-access gateways warrants prompt remediation.

Share

CVE-2026-40844 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy