CVE-2026-1432
CRITICALT-Systems Buroweb < 2505.0.13 - SQL Injection via Tablon Component Parameters
Title source: llmDescription
SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information.
References (1)
Core 1
Core References
Third Party Advisory patch
https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-sqli-buroweb-platform
Scores
CVSS v4
9.3
EPSS
0.0031
EPSS Percentile
22.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
T-Systems/Buroweb
< 2505.0.13
Published
Feb 03, 2026
Tracked Since
Feb 18, 2026