This vulnerability (CVE-2026-40848) affects MB connect line's mbCONNECT24 product. It is caused by improper neutralization of special elements in an SQL SELECT command, leading to an unauthenticated SQL Injection in the tag view. An attacker with low privileges can remotely exploit this flaw to compromise data confidentiality. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality. No official patch or remediation level has been published, and no known exploits are reported.

Exploitation of this vulnerability can result in a total loss of confidentiality, meaning sensitive data accessible via the SQL database could be disclosed to an attacker. The vulnerability allows unauthenticated remote attackers to perform SQL Injection, which can compromise the integrity and confidentiality of the system's data. There is no indication of impact on availability or integrity beyond confidentiality loss.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor the vendor's communications for updates. Until a patch is available, consider restricting network access to the affected component and applying compensating controls to limit exposure to unauthenticated SQL Injection attacks.