Skip to main content

EUVDEUVD-2026-32129

| CVE-2026-40825 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-49xj-qj9r-gx79
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:03 vuln.today

DescriptionCVE.org

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

AnalysisAI

SQL injection in MB connect line's mbCONNECT24 / myREX24V2 remote-maintenance portals (all releases up to and including 2.20.0) lets an attacker break out of the SQL UPDATE statement bound to the 'devices' parameter in the accountstatus view, yielding full read access to the backend database and limited writes to a non-critical table. The CVSS 4.0 vector requires high privileges (PR:H), so a privileged authenticated user is the realistic threat actor — this directly contradicts the advisory text that labels the flaw 'unauthenticated,' a discrepancy defenders should resolve with the vendor. EPSS is very low (0.03%, 10th percentile) and there is no CISA KEV entry; no public exploit identified at time of analysis.

Share

EUVD-2026-32129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy