This vulnerability (CVE-2026-40819) affects mbCONNECT24 and arises from improper neutralization of special elements in an SQL SELECT command used by the sync_data24 task. An unauthenticated remote attacker can leverage this SQL Injection flaw to access sensitive data, resulting in a complete confidentiality breach. The CVSS 4.0 base score is 8.7, indicating high severity with network attack vector, no privileges or user interaction required, and high confidentiality impact. The vendor has not yet provided an official fix or remediation guidance, and the product is not a cloud service, so remediation depends on vendor updates or user-applied mitigations.

An unauthenticated remote attacker can exploit this SQL Injection vulnerability to fully compromise the confidentiality of the affected system's data. This means sensitive information accessible via the vulnerable SQL command can be disclosed without authentication. There is no indication of impact on integrity or availability. No known exploits have been reported in the wild so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is currently available, users should monitor vendor communications for updates. Until a patch is released, consider restricting network access to the affected service and applying any recommended configuration changes from the vendor once available.