Search criteria
1 vulnerability by T-Systems
CVE-2026-1432 (GCVE-0-2026-1432)
Vulnerability from cvelistv5 – Published: 2026-02-03 11:14 – Updated: 2026-02-03 15:28
VLAI?
Title
SQL injection (SQLi) on the Buroweb platform
Summary
SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
Iban Ruiz de Galarreta Cadenas
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T15:19:44.387188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T15:28:52.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Buroweb",
"vendor": "T-Systems",
"versions": [
{
"lessThan": "2505.0.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:t-systems:buroweb:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2505.0.13",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Iban Ruiz de Galarreta Cadenas"
}
],
"datePublic": "2026-02-03T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the \u0027tablon\u0027 component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint \u0027/sta/CarpetaPublic/doEvent?APP_CODE=STA\u0026amp;PAGE_CODE=TABLON\u0027. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information."
}
],
"value": "SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the \u0027tablon\u0027 component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint \u0027/sta/CarpetaPublic/doEvent?APP_CODE=STA\u0026PAGE_CODE=TABLON\u0027. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T11:14:37.406Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-sqli-buroweb-platform"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability has been fixed by the T-Systems team in version 2505.0.13. It is recommended to update the system software to this version or, failing that, to the latest stable version."
}
],
"value": "The vulnerability has been fixed by the T-Systems team in version 2505.0.13. It is recommended to update the system software to this version or, failing that, to the latest stable version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL injection (SQLi) on the Buroweb platform",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2026-1432",
"datePublished": "2026-02-03T11:14:37.406Z",
"dateReserved": "2026-01-26T12:24:50.541Z",
"dateUpdated": "2026-02-03T15:28:52.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}