Description
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
Published: 2026-05-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated remote attacker can exploit an injection flaw in the getAccountData function because special characters in a SQL SELECT query are not properly neutralized. This allows the attacker to execute arbitrary SQL statements against the backend database, leading to a complete loss of confidentiality as sensitive data can be extracted without restriction. The vulnerability is a classic instance of CWE‑89, reflecting improper input validation in database queries.

Affected Systems

The flaw affects Helmholz's myREX24V2 and its virtual variant, as well as MB connect line's mbCONNECT24 and mym bCONNECT24 platforms, specifically version 2.20.0 of these systems. Systems identified by CPE strings such as cpe:2.3:a:helmholz:myrex24v2.* and cpe:2.3:a:mb_connect_line:mbconnect24.* are vulnerable.

Risk and Exploitability

The vulnerability is exploitable remotely without authentication, making it highly attractive to attackers. Its CVSS score of 8.7 indicates high impact and advanced exploitation steps. The EPSS score is not available, so the exact likelihood of exploitation cannot be quantified, but the nature of the flaw suggests it could be leveraged by automated database exploitation tools. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending specially crafted requests to the getAccountData endpoint, potentially from any host that can reach the target system.

Generated by OpenCVE AI on May 27, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify whether the system is running Helmholz myREX24V2 or MB connect line mbCONNECT24 (including the virtual or mym bCONNECT24 variants) with version 2.20.0 to confirm vulnerability presence.
  • Apply the latest firmware or software update released by Helmholz or MB connect line that addresses the SQL injection in the getAccountData function.
  • If an official patch is not yet available, block external access to the getAccountData API or enable authentication requirements before the endpoint can be accessed, thereby preventing unauthenticated exploitation.
  • Implement strict input validation or parameterized queries for the getAccountData function, ensuring that all special characters are properly escaped to eliminate injection vectors.

Generated by OpenCVE AI on May 27, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
Title Unauthenticated SQLi in getAccountData function
First Time appeared Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
Weaknesses CWE-89
CPEs cpe:2.3:a:helmholz:myrex24v2.virtual:*:*:*:*:*:*:*:*
cpe:2.3:a:helmholz:myrex24v2:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mymbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2virtual:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mbconnect24:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mymbconnect24:2.20.0:*:*:*:*:*:*:*
Vendors & Products Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Helmholz Myrex24v2 Myrex24v2.virtual Myrex24v2virtual
Mb Connect Line Mbconnect24 Mymbconnect24
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-05-27T11:54:47.362Z

Reserved: 2026-04-15T09:33:02.614Z

Link: CVE-2026-40850

cve-icon Vulnrichment

Updated: 2026-05-27T11:54:42.728Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T09:16:31.547

Modified: 2026-05-27T14:53:22.863

Link: CVE-2026-40850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:15:20Z

Weaknesses