Home

Description

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the setinfo endpoint due to improper neutralization of special elements in a SQL UPDATE command. This can result in a total loss of integrity and availability.

PUBLISHED Reserved 2026-03-23 | Published 2026-04-02 | Updated 2026-04-02 | Assigner CERTVDE




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

0.0.0 (semver)
affected

Default status
unaffected

0.0.0 (semver)
affected

Credits

Moritz Abrell, Christian Zäske from SySS GmbH finder

References

certvde.com/de/advisories/VDE-2026-030 vendor-advisory

mbconnectline.csaf-tp.certvde.com/.../2026/vde-2026-030.json vendor-advisory

cve.org (CVE-2026-33615)

nvd.nist.gov (CVE-2026-33615)

Download JSON