{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33616", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2026-03-23T13:15:49.382Z", "datePublished": "2026-04-02T08:59:55.743Z", "dateUpdated": "2026-04-02T13:08:18.951Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "mbCONNECT24", "vendor": "MB connect line", "versions": [{"lessThanOrEqual": "2.19.4", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "mymbCONNECT24", "vendor": "MB connect line", "versions": [{"lessThanOrEqual": "2.19.4", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Moritz Abrell, Christian Z\u00e4ske from SySS GmbH"}], "datePublic": "2026-04-02T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.<br>"}], "value": "An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-04-02T08:59:55.743Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://certvde.com/de/advisories/VDE-2026-030"}, {"tags": ["vendor-advisory"], "url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json"}], "source": {"advisory": "VDE-2026-030", "defect": ["CERT@VDE#641994"], "discovery": "EXTERNAL"}, "title": "MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the mb24api Endpoint", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:08:03.527993Z", "id": "CVE-2026-33616", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:08:18.951Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33616", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T13:08:03.527993Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:08:15.347Z"}}], "cna": {"title": "MB connect line mbCONNECT24 vulnerable to an unauthenticated SQL injection in the mb24api Endpoint", "source": {"defect": ["CERT@VDE#641994"], "advisory": "VDE-2026-030", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Moritz Abrell, Christian Z\u00e4ske from SySS GmbH"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MB connect line", "product": "mbCONNECT24", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.19.4"}], "defaultStatus": "unaffected"}, {"vendor": "MB connect line", "product": "mymbCONNECT24", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.19.4"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-02T09:00:00.000Z", "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-030", "tags": ["vendor-advisory"]}, {"url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.", "supportingMedia": [{"type": "text/html", "value": "An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-04-02T08:59:55.743Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33616", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:08:18.951Z", "dateReserved": "2026-03-23T13:15:49.382Z", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "datePublished": "2026-04-02T08:59:55.743Z", "assignerShortName": "CERTVDE"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mbconnectline:mbconnect24:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF88F461-51FB-482C-A406-07F72FC10D79", "versionEndIncluding": "2.19.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:mbconnectline:mymbconnect24:*:*:*:*:*:*:*:*", "matchCriteriaId": "36E8693F-94C4-46A4-BD83-D87B71B89F12", "versionEndIncluding": "2.19.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality."}], "id": "CVE-2026-33616", "lastModified": "2026-04-16T15:41:30.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "info@cert.vde.com", "type": "Primary"}]}, "published": "2026-04-02T10:16:17.080", "references": [{"source": "info@cert.vde.com", "tags": ["Third Party Advisory"], "url": "https://certvde.com/de/advisories/VDE-2026-030"}, {"source": "info@cert.vde.com", "tags": ["Vendor Advisory"], "url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "info@cert.vde.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.19.4]"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "mbCONNECT24", "source": "cna", "vendor": "MB connect line"}, "product": "mbconnect24", "vendor": "mbconnectline"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.19.4]"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "mymbCONNECT24", "source": "cna", "vendor": "MB connect line"}, "product": "mymbconnect24", "vendor": "mbconnectline"}], "analysis": {"en": {"generated_at": "2026-04-02T10:20:54.708167+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch or upgrade the mbCONNECT24/mymbCONNECT24 software to a version that includes the fix for the mb24api endpoint.", "If a patch is not yet available, restrict network access to the mb24api endpoint, allowing only trusted hosts or IP ranges.", "Monitor the API logs for anomalous query patterns or repeated failed authentication attempts, as these may indicate ongoing exploitation.", "Validate all input to the API manually or via security controls to ensure no further injection vectors remain.", "Consider segmenting the network or placing the database behind an additional firewall to limit exposure."], "summary": {"action": "Patch ASAP", "impact": "Confidentiality breach"}, "threat_synthesis": {"affected_systems": "Products affected are mbCONNECT24 and mymbCONNECT24 from MB connect line. Version information was not disclosed in the advisory, so administrators should verify whether their current installations encompass the vulnerable code base. The defect resides in the mb24api component responsible for handling external API calls.", "description_and_impact": "The vulnerability is an unauthenticated blind SQL injection in the mb24api endpoint of MB connect line products, allowing a remote attacker to retrieve arbitrary data from the database. Because the injection occurs without authentication, any user can exploit it, potentially exposing all information stored within the system. The weakness corresponds to CWE-89 and results in a complete loss of confidentiality, as attacker\u2011controlled queries can return sensitive content.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity vulnerability with significant impact on confidentiality. EPSS data is not available, but the absence of the vulnerability from KEV catalog suggests no widely known active exploits yet; however, the blind nature of the injection and lack of authentication requirements increase its attractiveness to attackers. Exploitation would involve sending crafted input to the mb24api endpoint over the network, bypassing any standard authentication mechanism, and then reading the returned data, which could contain sensitive business information."}}}}, "created": "2026-04-02T20:12:57.674203+00:00", "updated": "2026-04-02T20:21:36.950248+00:00", "vendors": ["mbconnectline", "mbconnectline$PRODUCT$mbconnect24", "mbconnectline$PRODUCT$mymbconnect24"]}