Description
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
Published: 2026-05-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated remote SQL injection in the getLiveValues API, where the tagid parameter is not properly neutralized. Exploitation allows a threat actor to inject arbitrary SQL into a SELECT statement, potentially revealing sensitive data and causing a total loss of confidentiality. The weakness is classified as CWE‑89.

Affected Systems

Affected products are Helmholz myREX24V2 and its virtual version, as well as MB Connect Line mbCONNECT24 and mymbCONNECT24. All impacted releases are identified as version 2.20.0 according to the provided CPE strings.

Risk and Exploitability

With a CVSS score of 8.7 the issue is considered high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is unauthenticated remote, inferred from the description that a remote attacker can exploit the vulnerability without credentials. If exploited, the attacker could access protected data exposed by the vulnerable SELECT statements.

Generated by OpenCVE AI on May 27, 2026 at 09:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or software update from Helmholz or MB Connect Line that fixes the SQL injection in the getLiveValues API.
  • Restrict unauthenticated access to the getLiveValues endpoint by configuring network segmentation or firewall rules so that only trusted hosts or networks can reach it.
  • Deploy a web application firewall or implement input validation to block malicious SQL injection payloads against the getLiveValues API.

Generated by OpenCVE AI on May 27, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
Title Unauthenticated SQLi in getLiveValues
First Time appeared Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
Weaknesses CWE-89
CPEs cpe:2.3:a:helmholz:myrex24v2.virtual:*:*:*:*:*:*:*:*
cpe:2.3:a:helmholz:myrex24v2:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mymbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2virtual:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mbconnect24:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mymbconnect24:2.20.0:*:*:*:*:*:*:*
Vendors & Products Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Helmholz Myrex24v2 Myrex24v2.virtual Myrex24v2virtual
Mb Connect Line Mbconnect24 Mymbconnect24
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-05-27T12:03:09.938Z

Reserved: 2026-04-15T09:33:02.610Z

Link: CVE-2026-40813

cve-icon Vulnrichment

Updated: 2026-05-27T12:03:04.811Z

cve-icon NVD

Status : Received

Published: 2026-05-27T08:16:41.630

Modified: 2026-05-27T08:16:41.630

Link: CVE-2026-40813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T09:30:27Z

Weaknesses