CVE-2026-1432 | THREATINT

Description

SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information.

PUBLISHED Reserved 2026-01-26 | Published 2026-02-03 | Updated 2026-02-03 | Assigner INCIBE

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:N/SA:L

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

Any version before 2505.0.13

affected

Credits

Iban Ruiz de Galarreta Cadenas finder

References

www.incibe.es/...s/aviso/sql-injection-sqli-buroweb-platform patch

cve.org (CVE-2026-1432)

nvd.nist.gov (CVE-2026-1432)

Download JSON