CVE-2026-40819

Deferred Deferred - Pending Action

Unauthenticated SQL Injection in Sync Data24 Task

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: CERT VDE

Description

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the sync_data24 task due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-27

Last Modified

2026-05-27

Generated

2026-06-16

AI Q&A

2026-05-27

EPSS Evaluated

2026-06-15

NVD

CVE-2026-40819

EUVD

EUVD-2026-32124

Affected Vendors & Products

Vendor	Product	Version / Range
mb_connect_line	mbconnect24	*
mb_connect_line	mymbconnect24	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability is an unauthenticated SQL Injection in the sync_data24 task. It occurs because special elements in a SQL SELECT command are not properly neutralized, allowing a remote attacker to inject malicious SQL code without needing to authenticate.

Impact Analysis

Exploiting this vulnerability can lead to a total loss of confidentiality, meaning an attacker could access sensitive data without authorization.

Compliance Impact

This vulnerability allows an unauthenticated remote attacker to exploit an SQL Injection flaw resulting in a total loss of confidentiality.

Loss of confidentiality can lead to unauthorized access to sensitive personal or protected health information, which may cause non-compliance with data protection regulations such as GDPR and HIPAA.

Therefore, this vulnerability poses a significant risk to compliance with standards that require safeguarding confidentiality of data.

Hi! I’m here to help you understand CVE-2026-40819. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-40819

Unauthenticated SQL Injection in Sync Data24 Task

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart