CVE-2026-1432
Unknown Unknown - Not Provided
SQL Injection in Buroweb Tablon Component Exposes Data

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1432
EUVD
EUVD-2026-5293
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
buroweb buroweb to 2505.0.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1432 is a critical SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component at the endpoint '/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON'. Multiple parameters do not properly sanitize user input, allowing an unauthenticated attacker to execute arbitrary SQL queries on the backend database. This can lead to unauthorized access to confidential information. [1]

Impact Analysis

Exploiting this vulnerability could allow an attacker to execute arbitrary SQL queries on the database without authentication, potentially leading to unauthorized access to confidential information stored in the Buroweb platform. This could result in data breaches, loss of sensitive data, and compromise of system integrity. [1]

Detection Guidance

This vulnerability can be detected by testing the endpoint `/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON` for SQL injection flaws in its parameters. You can use tools like sqlmap or manual curl commands to send crafted inputs that include SQL injection payloads to observe if the backend executes arbitrary SQL queries. For example, a curl command to test might be: `curl -G 'http://<target>/sta/CarpetaPublic/doEvent' --data-urlencode 'APP_CODE=STA' --data-urlencode 'PAGE_CODE=TABLON' --data-urlencode 'param=1 OR 1=1'` (replace `param` with actual parameter names). Monitoring logs for unusual database errors or unexpected query results can also help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to update the Buroweb platform to version 2505.0.13 or later, where this SQL injection vulnerability has been fixed. Applying this update will ensure that the input sanitization issues in the 'tablon' component are resolved. Until the update can be applied, consider restricting access to the vulnerable endpoint and monitoring for suspicious activity. [1]

Compliance Impact

This SQL injection vulnerability could lead to unauthorized access to confidential information, which may result in non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding sensitive data. Exploitation of this flaw could compromise the confidentiality and integrity of personal or protected health information, thereby affecting compliance with these standards. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1432. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart