This vulnerability (CVE-2026-40839) affects mbCONNECT24 and involves improper neutralization of special elements in an SQL SELECT command within the getComponentScalings function. An unauthenticated attacker with low privileges can exploit this SQL Injection vulnerability remotely, potentially accessing sensitive data and causing a complete confidentiality breach. The CVSS 4.0 base score is 7.1, reflecting high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. No patch or official remediation level has been published yet, and no known exploits are reported in the wild.

The vulnerability allows an unauthenticated, low privileged remote attacker to perform SQL Injection attacks, which can result in total loss of confidentiality of the affected system's data. This could lead to unauthorized data disclosure from the mbCONNECT24 product. No information about integrity or availability impact is provided.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should consider restricting network access to the affected service and monitor for suspicious activity related to SQL Injection attempts. Avoid exposing the vulnerable function to untrusted networks if possible.