Description
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.
Published: 2026-05-27
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A high‑privileged remote attacker can exploit an unauthenticated SQL Injection in the accountstatus view’s userid parameter because the application fails to properly neutralize special characters used in a SQL UPDATE command. The flaw allows the attacker to read the entire database and modify values in a non‑critical table, resulting in a total loss of confidentiality and some loss of integrity, as documented with CWE‑89.

Affected Systems

The vulnerability impacts Helmholz’s myREX24V2 and myREX24V2.virtual products and MB Connect Line’s mbCONNECT24 and mymbCONNECT24 lines, all running the 2.20.0 release family.

Risk and Exploitability

With a CVSS score of 7 the flaw is considered high severity. While no EPSS score is available and the issue is not listed in the CISA KEV catalog, the requirement for a high‑privileged authenticated session and the ease of crafting a malicious userid imply a realistic exploitation path, especially on exposed web interfaces.

Generated by OpenCVE AI on May 27, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Helmholz myREX24V2, myREX24V2.virtual, MB Connect Line mbCONNECT24, or mymbCONNECT24 to the latest patch that fixes the accountstatus view SQLi
  • If an immediate patch is not available, lock the accountstatus endpoint to trusted IP ranges and configure the underlying database user to have read‑only privileges, preventing write operations from the vulnerable context
  • Review the input handling for the userid parameter and enforce proper parameterized queries or strict input validation to eliminate the ability to inject SQL syntax

Generated by OpenCVE AI on May 27, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.
Title Authenticated SQLi in accountstatus view
First Time appeared Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
Weaknesses CWE-89
CPEs cpe:2.3:a:helmholz:myrex24v2.virtual:*:*:*:*:*:*:*:*
cpe:2.3:a:helmholz:myrex24v2:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mymbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2virtual:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mbconnect24:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mymbconnect24:2.20.0:*:*:*:*:*:*:*
Vendors & Products Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Helmholz Myrex24v2 Myrex24v2.virtual Myrex24v2virtual
Mb Connect Line Mbconnect24 Mymbconnect24
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-05-27T12:00:51.291Z

Reserved: 2026-04-15T09:33:02.611Z

Link: CVE-2026-40824

cve-icon Vulnrichment

Updated: 2026-05-27T12:00:46.234Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T08:16:43.147

Modified: 2026-05-27T14:53:22.863

Link: CVE-2026-40824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:00:16Z

Weaknesses