{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33613", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2026-03-23T13:15:49.381Z", "datePublished": "2026-04-02T08:59:34.008Z", "dateUpdated": "2026-04-02T13:42:38.209Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "mbCONNECT24", "vendor": "MB connect line", "versions": [{"lessThanOrEqual": "2.19.4", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "mymbCONNECT24", "vendor": "MB connect line", "versions": [{"lessThanOrEqual": "2.19.4", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Moritz Abrell, Christian Z\u00e4ske from SySS GmbH"}], "datePublic": "2026-04-02T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.<br>This vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table.<br>"}], "value": "Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.\nThis vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-04-02T08:59:34.008Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://certvde.com/de/advisories/VDE-2026-030"}, {"tags": ["vendor-advisory"], "url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json"}], "source": {"advisory": "VDE-2026-030", "defect": ["CERT@VDE#641994"], "discovery": "EXTERNAL"}, "title": "MB connect line mbCONNECT24 vulnerable to RCE in generateSrpArray", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:41:33.794559Z", "id": "CVE-2026-33613", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:42:38.209Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33613", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T13:41:33.794559Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:42:18.445Z"}}], "cna": {"title": "MB connect line mbCONNECT24 vulnerable to RCE in generateSrpArray", "source": {"defect": ["CERT@VDE#641994"], "advisory": "VDE-2026-030", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Moritz Abrell, Christian Z\u00e4ske from SySS GmbH"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MB connect line", "product": "mbCONNECT24", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.19.4"}], "defaultStatus": "unaffected"}, {"vendor": "MB connect line", "product": "mymbCONNECT24", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.19.4"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-02T09:00:00.000Z", "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-030", "tags": ["vendor-advisory"]}, {"url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.\nThis vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table.", "supportingMedia": [{"type": "text/html", "value": "Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.<br>This vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-04-02T08:59:34.008Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33613", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:42:38.209Z", "dateReserved": "2026-03-23T13:15:49.381Z", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "datePublished": "2026-04-02T08:59:34.008Z", "assignerShortName": "CERTVDE"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.\nThis vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table."}], "id": "CVE-2026-33613", "lastModified": "2026-04-02T10:16:15.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "info@cert.vde.com", "type": "Primary"}]}, "published": "2026-04-02T10:16:15.727", "references": [{"source": "info@cert.vde.com", "url": "https://certvde.com/de/advisories/VDE-2026-030"}, {"source": "info@cert.vde.com", "url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "info@cert.vde.com", "type": "Primary"}]}

{}

{}