{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33614", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2026-03-23T13:15:49.381Z", "datePublished": "2026-04-02T08:59:40.736Z", "dateUpdated": "2026-04-02T13:30:10.029Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "mbCONNECT24", "vendor": "MB connect line", "versions": [{"lessThanOrEqual": "2.19.4", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "mymbCONNECT24", "vendor": "MB connect line", "versions": [{"lessThanOrEqual": "2.19.4", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Moritz Abrell, Christian Z\u00e4ske from SySS GmbH"}], "datePublic": "2026-04-02T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.<br>"}], "value": "An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-04-02T08:59:40.736Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://certvde.com/de/advisories/VDE-2026-030"}, {"tags": ["vendor-advisory"], "url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json"}], "source": {"advisory": "VDE-2026-030", "defect": ["CERT@VDE#641994"], "discovery": "EXTERNAL"}, "title": "MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the getinfo endpoint", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:29:54.050449Z", "id": "CVE-2026-33614", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:30:10.029Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33614", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:29:54.050449Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:30:00.845Z"}}], "cna": {"title": "MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the getinfo endpoint", "source": {"defect": ["CERT@VDE#641994"], "advisory": "VDE-2026-030", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Moritz Abrell, Christian Z\u00e4ske from SySS GmbH"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MB connect line", "product": "mbCONNECT24", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.19.4"}], "defaultStatus": "unaffected"}, {"vendor": "MB connect line", "product": "mymbCONNECT24", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.19.4"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-02T09:00:00.000Z", "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-030", "tags": ["vendor-advisory"]}, {"url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.", "supportingMedia": [{"type": "text/html", "value": "An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-04-02T08:59:40.736Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33614", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:30:10.029Z", "dateReserved": "2026-03-23T13:15:49.381Z", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "datePublished": "2026-04-02T08:59:40.736Z", "assignerShortName": "CERTVDE"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality."}], "id": "CVE-2026-33614", "lastModified": "2026-04-02T10:16:16.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "info@cert.vde.com", "type": "Primary"}]}, "published": "2026-04-02T10:16:16.723", "references": [{"source": "info@cert.vde.com", "url": "https://certvde.com/de/advisories/VDE-2026-030"}, {"source": "info@cert.vde.com", "url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "info@cert.vde.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.19.4]"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "mbCONNECT24", "source": "cna", "vendor": "MB connect line"}, "product": "mbconnect24", "vendor": "mbconnectline"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.19.4]"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "mymbCONNECT24", "source": "cna", "vendor": "MB connect line"}, "product": "mymbconnect24", "vendor": "mbconnectline"}], "analysis": {"en": {"generated_at": "2026-04-02T10:21:44.061685+00:00", "value": {"mitigation_remediation": ["Apply any available security patch or update from MB connect line for mbCONNECT24 and mymbCONNECT24 that addresses the SQL injection in the getinfo endpoint. If no patch is currently released, immediately limit access to the getinfo endpoint using firewall rules or network ACLs to only allow authorized traffic. Configure monitoring to detect suspicious SQL query patterns or anomalous requests to the endpoint. Notify stakeholders that a data confidentiality risk exists and verify whether any sensitive data has been accessed."], "summary": {"action": "Immediate Patch", "impact": "Loss of confidentiality via data exfiltration"}, "threat_synthesis": {"affected_systems": "The vulnerability affects MB connect line products, specifically mbCONNECT24 and mymbCONNECT24. No specific version information is provided in the advisory, so all deployed instances of these products are potentially exposed.", "description_and_impact": "A remote attacker can use an unauthenticated SQL Injection in the getinfo endpoint because special characters are not properly neutralized in the SQL SELECT command. This allows the attacker to read arbitrary database contents, leading to a total loss of confidentiality. The weakness is a classic input validation flaw and is classified under CWE-89.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity vulnerability. Exploitation is likely since the attack requires no authentication and can be performed over the network via an HTTP request to the getinfo endpoint. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the lack of a patch and the high score suggest a significant risk of exploitation."}}}}, "created": "2026-04-02T20:12:59.578649+00:00", "updated": "2026-04-02T20:21:38.837964+00:00", "vendors": ["mbconnectline", "mbconnectline$PRODUCT$mbconnect24", "mbconnectline$PRODUCT$mymbconnect24"]}