Description
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario' in ‘/evaluacion_acciones_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Database confidentiality compromise via OOB SQL injection
Action: Apply patch
AI Analysis

Impact

An out-of-band SQL injection vulnerability exists in the EDD application, allowing an attacker to inject malicious SQL through the Id_usuario parameter on /evaluacion_acciones_evalua.aspx. Because the data is transmitted via an external channel rather than returned directly, a successful exploit could extract any sensitive database information, compromising confidentiality. The flaw is identified as CWE‑89.

Affected Systems

The vulnerability affects the Quatuor Evaluación de Desempeño (EDD) application. No specific version numbers are listed; the issue was present until the release on 12 November 2025.

Risk and Exploitability

With a CVSS base score of 9.3 the flaw is considered critical. The EPSS score is below 1 %, indicating a low probability of exploitation in the near term, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is likely remote, with an attacker manipulating a web request to execute the injection and exfiltrate data through an external channel.

Generated by OpenCVE AI on April 18, 2026 at 14:46 UTC.

Remediation

Vendor Solution

The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.

OpenCVE Recommended Actions

  • Apply the patch released on 12 November 2025, which removes the vulnerable code.
  • If an immediate upgrade is not possible, restrict or disable outbound network connections that could carry out-of-band data to prevent exfiltration.
  • Implement input validation on the Id_usuario parameter, allowing only numeric values and rejecting or escaping any non-numeric input.
  • Continuously monitor web application logs and outbound traffic for patterns indicative of OOB SQL injection attempts, and anomalous database queries.

Generated by OpenCVE AI on April 18, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Quatuor
Quatuor evaluacion De Desempeno
Vendors & Products Quatuor
Quatuor evaluacion De Desempeno

Tue, 27 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario' in ‘/evaluacion_acciones_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Title Out-of-band SQL injection in Quatuor Performance Evaluation
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Quatuor Evaluacion De Desempeno
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-01-27T20:52:26.632Z

Reserved: 2026-01-27T09:25:52.801Z

Link: CVE-2026-1475

cve-icon Vulnrichment

Updated: 2026-01-27T19:49:46.241Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:10.840

Modified: 2026-02-10T20:20:35.903

Link: CVE-2026-1475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses