PatchSiren cyber security CVE debrief
CVE-2026-40813 VDE-CERT CVE debrief
An unauthenticated SQL injection vulnerability exists in the `getLiveValues` function, specifically within the `tagid` parameter. The flaw stems from improper neutralization of special elements in a SQL SELECT command (CWE-89), allowing remote attackers to inject arbitrary SQL without authentication. Successful exploitation can result in total loss of confidentiality. The vulnerability carries a HIGH severity CVSS 4.0 score of 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N). The vendor attribution is currently uncertain—derived from a reference domain candidate 'Certvde' with low confidence and flagged for review. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- VDE-CERT
- Product
- Industrial Automation Software (getLiveValues component)
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Database administrators, application security teams, and organizations running systems with getLiveValues functionality—particularly in industrial or operational technology environments given the VDE-CERT advisory source. Immediate attention warranted due to unauthenticated attack vector and high confidentiality impact.
Technical summary
The vulnerability resides in improper sanitization of the `tagid` parameter within the `getLiveValues` function, enabling unauthenticated attackers to manipulate SQL SELECT commands. The CVSS 4.0 vector indicates network accessibility, low attack complexity, no required privileges or user interaction, with exclusive impact to confidentiality (no integrity or availability impact). Attackers can potentially extract sensitive data from the underlying database.
Defensive priority
HIGH
Recommended defensive actions
- Apply input validation and parameterized queries to the tagid parameter in getLiveValues functions
- Implement principle of least privilege for database accounts used by the affected application
- Monitor database query logs for anomalous SELECT statement patterns
- Review and restrict network exposure of systems hosting the vulnerable component pending vendor confirmation and patch availability
Evidence notes
Vulnerability disclosed via NVD with VDE-CERT advisory reference. CVSS 4.0 vector confirms network attack vector with no privileges required and high confidentiality impact. Vendor identification remains unconfirmed pending review.
Official resources
-
CVE-2026-40813 CVE record
CVE.org
-
CVE-2026-40813 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27