CVE-2026-1432 PUBLISHED

SQL injection (SQLi) on the Buroweb platform

Assigner: INCIBE
Reserved: 26.01.2026 Published: 03.02.2026 Updated: 03.02.2026

SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:N/SA:L
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	Low	Availability	Low
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	T-Systems
Product	Buroweb
Versions	Default: unaffected affected from 0 to 2505.0.13 (excl.)

Solutions

The vulnerability has been fixed by the T-Systems team in version 2505.0.13. It is recommended to update the system software to this version or, failing that, to the latest stable version.

Credits

Iban Ruiz de Galarreta Cadenas finder

References

https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-sqli-buroweb-platform

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE