CVE-2026-40833 HIGH

CVE-2026-40833: Authenticated SQLi in saveDashboardLayout function

Vendor Mb Connect Line
Product mbCONNECT24
Weakness CWE-89 · SQLi
Published May 27, 2026
Last update May 27, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 27, 2026 Record updated