Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-40836

Summary
Assigner-CERTVDE
Assigner Org ID-270ccfa6-a436-4e77-922e-914ec3a9685c
Published At-27 May, 2026 | 07:56
Updated At-27 May, 2026 | 11:58
Rejected At-
Credits

Authenticated SQLi in inmessage model

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:CERTVDE
Assigner Org ID:270ccfa6-a436-4e77-922e-914ec3a9685c
Published At:27 May, 2026 | 07:56
Updated At:27 May, 2026 | 11:58
Rejected At:
▼CVE Numbering Authority (CNA)
Authenticated SQLi in inmessage model

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Affected Products
Vendor
MB connect line
Product
mbCONNECT24
Default Status
unaffected
Versions
Affected
  • From 0.0.0 through 2.20.0 (semver)
Vendor
MB connect line
Product
mymbCONNECT24
Default Status
unaffected
Versions
Affected
  • From 0.0.0 through 2.20.0 (semver)
Vendor
MB connect line
Product
mbCONNECT24
Default Status
unaffected
Versions
Affected
  • 2.20.0
Vendor
MB connect line
Product
mymbCONNECT24
Default Status
unaffected
Versions
Affected
  • 2.20.0
Vendor
Helmholz
Product
myREX24V2
Default Status
unaffected
Versions
Affected
  • From 0.0.0 through 2.20.0 (semver)
Vendor
Helmholz
Product
myREX24V2.virtual
Default Status
unaffected
Versions
Affected
  • From 0.0.0 through 2.20.0 (semver)
Vendor
Helmholz
Product
myREX24V2
Default Status
unaffected
Versions
Affected
  • 2.20.0
Vendor
Helmholz
Product
myREX24V2.virtual
Default Status
unaffected
Versions
Affected
  • 2.20.0
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
3.17.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.certvde.com/en/advisories/VDE-2026-044/
N/A
Hyperlink: https://www.certvde.com/en/advisories/VDE-2026-044/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:info@cert.vde.com
Published At:27 May, 2026 | 09:16
Updated At:27 May, 2026 | 09:16

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-89Primaryinfo@cert.vde.com
CWE ID: CWE-89
Type: Primary
Source: info@cert.vde.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.certvde.com/en/advisories/VDE-2026-044/info@cert.vde.com
N/A
Hyperlink: https://www.certvde.com/en/advisories/VDE-2026-044/
Source: info@cert.vde.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

123Records found
CVE-2026-40834
Matching Score-10
Assigner-CERT@VDE
ShareView Details
Matching Score-10
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:55
Updated-27 May, 2026 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in saveDashboardLayout function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash_layout.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40833
Matching Score-10
Assigner-CERT@VDE
ShareView Details
Matching Score-10
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:55
Updated-27 May, 2026 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in saveDashboardLayout function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40831
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:54
Updated-27 May, 2026 | 11:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in Easy View

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the Easy View due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40818
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:48
Updated-27 May, 2026 | 12:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in _mb24confi_getDevice function function

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24confi_getDevice function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40848
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:59
Updated-27 May, 2026 | 11:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in tag view

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40821
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-6.9||MEDIUM
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:49
Updated-27 May, 2026 | 12:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in getAccountByID function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40843
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:58
Updated-27 May, 2026 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in alarming view

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40840
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:57
Updated-27 May, 2026 | 11:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in VerifyCreateLicences function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40828
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7||HIGH
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:53
Updated-27 May, 2026 | 11:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in DeleteSysLogEntry function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40845
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:58
Updated-27 May, 2026 | 11:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in devices_configuration view

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40849
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:59
Updated-27 May, 2026 | 11:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in user_alarmprofile view

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the user_alarmprofile view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40811
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:44
Updated-27 May, 2026 | 12:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in ssoabstractservice

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40830
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7||HIGH
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:54
Updated-27 May, 2026 | 11:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in UpdateParam function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40837
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:56
Updated-27 May, 2026 | 11:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in getProjectScalings function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40813
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:45
Updated-27 May, 2026 | 12:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in getLiveValues

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40816
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:48
Updated-27 May, 2026 | 12:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in _mb24confi_getTagAlarm function

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24alarm.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40839
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:57
Updated-27 May, 2026 | 11:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in getComponentScalings function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getComponentScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40824
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7||HIGH
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:50
Updated-27 May, 2026 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in accountstatus view

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40841
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:57
Updated-27 May, 2026 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in getProjectTags function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40817
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:48
Updated-27 May, 2026 | 12:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in getAlarmProfiles function

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40829
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7||HIGH
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:53
Updated-27 May, 2026 | 11:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in UpdateParam function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the view.html.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40844
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:58
Updated-27 May, 2026 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in dashboard view

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40846
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:58
Updated-27 May, 2026 | 11:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in system view

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40825
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7||HIGH
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:52
Updated-27 May, 2026 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in accountstatus view

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40838
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:56
Updated-27 May, 2026 | 11:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in getDeviceScalings function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40847
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:59
Updated-27 May, 2026 | 11:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in system_tag view

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40823
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7||HIGH
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:50
Updated-27 May, 2026 | 12:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in DevSerialReset function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40826
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-6.9||MEDIUM
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:52
Updated-27 May, 2026 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in dsgvo_contracts view

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40812
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:45
Updated-27 May, 2026 | 12:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in getLiveValues function

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40822
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-6.9||MEDIUM
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:50
Updated-27 May, 2026 | 12:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in DevSerialReset function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40835
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:56
Updated-27 May, 2026 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in saveObjectFromData function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the saveObjectFromData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40827
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7||HIGH
EPSS-0.03% / 10.00%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:53
Updated-27 May, 2026 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in _RemoveRequest function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40819
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:49
Updated-27 May, 2026 | 12:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in sync_data24 task

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the sync_data24 task due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40842
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:57
Updated-27 May, 2026 | 11:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in getWidgetTags function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getWidgetTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-33614
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.47%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 08:59
Updated-16 Apr, 2026 | 15:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the getinfo endpoint

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-mbconnectlineMB connect line
Product-mymbconnect24mbconnect24mymbCONNECT24mbCONNECT24
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-33616
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.47%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 08:59
Updated-16 Apr, 2026 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the mb24api Endpoint

An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-mbconnectlineMB connect line
Product-mymbconnect24mbconnect24mymbCONNECT24mbCONNECT24
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-33615
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-9.1||CRITICAL
EPSS-0.04% / 11.07%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 08:59
Updated-16 Apr, 2026 | 15:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the setinfo Endpoint

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the setinfo endpoint due to improper neutralization of special elements in a SQL UPDATE command. This can result in a total loss of integrity and availability.

Action-Not Available
Vendor-mbconnectlineMB connect line
Product-mymbconnect24mbconnect24mymbCONNECT24mbCONNECT24
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-32969
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.5||HIGH
EPSS-0.19% / 40.36%
||
7 Day CHG~0.00%
Published-23 Mar, 2026 | 11:16
Updated-23 Mar, 2026 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pre-Auth Blind SQLi in userinfo Endpoint

An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s authentication method due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24MB connect line mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-41678
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-6.5||MEDIUM
EPSS-0.67% / 71.64%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 09:30
Updated-06 Nov, 2025 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection via POST Requests Allowing Configuration Database Manipulation

A high privileged remote attacker can alter the configuration database via POST requests due to improper neutralization of special elements used in a SQL statement.

Action-Not Available
Vendor-mbconnectlineHelmholzMB connect line
Product-mbnet.minimbnet.mini_firmwarembNET.miniREX 100
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40814
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:47
Updated-27 May, 2026 | 12:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in _mb24confi_getTagAlarm function

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dataapi.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40832
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-7.1||HIGH
EPSS-0.03% / 10.87%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:54
Updated-27 May, 2026 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated SQLi in getDevicegroups function

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40810
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:38
Updated-27 May, 2026 | 12:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in userinfo Endpoint

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the userinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40815
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 07:47
Updated-27 May, 2026 | 12:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in _mb24api_getUserAccount function

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24api_getUserAccount function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40850
Matching Score-6
Assigner-CERT@VDE
ShareView Details
Matching Score-6
Assigner-CERT@VDE
CVSS Score-8.7||HIGH
EPSS-0.05% / 15.57%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 08:00
Updated-27 May, 2026 | 11:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated SQLi in getAccountData function

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Action-Not Available
Vendor-HelmholzMB connect line
Product-mymbCONNECT24mbCONNECT24myREX24V2.virtualmyREX24V2
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-47782
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.03% / 8.07%
||
7 Day CHG~0.00%
Published-15 Jan, 2026 | 23:25
Updated-16 Jan, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection

Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. Attackers can exploit the vulnerability by sending crafted payloads to the /rass/api/v1/trafficCycle/ endpoint to manipulate PostgreSQL database queries and potentially extract sensitive information.

Action-Not Available
Vendor-Odinesolutions
Product-Odine Solutions GateKeeper
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-47720
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.01% / 1.23%
||
7 Day CHG~0.00%
Published-23 Dec, 2025 | 19:34
Updated-07 Apr, 2026 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Orangescrum 1.8.0 Authenticated SQL Injection via Multiple Parameters

Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information.

Action-Not Available
Vendor-orangescrumOrangescrum
Product-orangescrumorangescrum
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-47980
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.03% / 8.72%
||
7 Day CHG~0.00%
Published-16 May, 2026 | 15:26
Updated-18 May, 2026 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fuel CMS 1.4.13 Blind SQL Injection via col Parameter

Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays.

Action-Not Available
Vendor-Getfuelcms
Product-Fuel CMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-25450
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.05% / 17.19%
||
7 Day CHG~0.00%
Published-22 Feb, 2026 | 13:18
Updated-07 Apr, 2026 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dolibarr ERP/CRM 10.0.1 SQL Injection via card.php

Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.

Action-Not Available
Vendor-Dolibarr ERP & CRM
Product-dolibarr_erp\/crmDolibarr ERP/CRM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-10692
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-7.1||HIGH
EPSS-0.08% / 24.68%
||
7 Day CHG~0.00%
Published-03 Oct, 2025 | 20:30
Updated-06 Oct, 2025 | 14:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenSupports 4.11.0 — SQL Injection

The endpoint POST /api/staff/get-new-tickets concatenates the user-controlled parameter departmentId directly into the SQL WHERE clause without parameter binding. As a result, an authenticated staff user (level ≥ 1) can inject SQL to alter the filter logic, effectively bypassing department scoping and disclosing tickets beyond their intended access.This issue affects OpenSupports: 4.11.0.

Action-Not Available
Vendor-OpenSupports
Product-OpenSupports
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-47766
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.02% / 3.70%
||
7 Day CHG~0.00%
Published-15 Jan, 2026 | 15:52
Updated-16 Jan, 2026 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated)

Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information.

Action-Not Available
Vendor-Levelprograms
Product-Kmaleon
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found