CVE-2026-40833

Authenticated SQLi in saveDashboardLayout function

CVSS 7.1 HIGHEPSS 0.2%CWE-89

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

27 may 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Productos afectados

Helmholz · myREX24V2 Helmholz · myREX24V2.virtual MB connect line · mbCONNECT24 MB connect line · mymbCONNECT24

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://www.certvde.com/en/advisories/VDE-2026-044/