SQL injection (SQLi) on the Buroweb platform
Buroweb, versions prior to 2505.0.13.
INCIBE has coordinated the publication of a critical vulnerability affecting the Buroweb web platform, a platform focused on consulting, cloud services, artificial intelligence, security, and connectivity. The vulnerability was discovered by Iban Ruiz de Galarreta Cadenas (Member of CSA's red team).
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2026-1432: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:N/SA:L | CWE-89
The vulnerability has been fixed by the T-Systems team in version 2505.0.13.
It is recommended to update the system software to this version or, failing that, to the latest stable version.
CVE-2026-1432: SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'.
Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-1432 | crítica | no | T-Systems |
