CVE-2026-1472: Quatuor Evaluacion SQL Injection Flaw

CVE-2026-1472 Overview

CVE-2026-1472 is an out-of-band SQL injection (OOB SQLi) vulnerability in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación (Quatuor). The flaw resides in the txAny parameter of the /evaluacion_competencias_autoeval_list.aspx endpoint. Attackers can inject crafted SQL payloads that force the database to exfiltrate data through external channels such as DNS or HTTP requests. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). No authentication or user interaction is required for exploitation.

Critical Impact
Unauthenticated attackers can extract sensitive database contents through out-of-band channels, compromising confidentiality of stored evaluation records and credentials.

Affected Products

Quatuor Evaluación de Desempeño (EDD) application
quatuor:evaluacion_de_desempeno (all versions per CPE cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*)
Deployments exposing /evaluacion_competencias_autoeval_list.aspx

Discovery Timeline

2026-01-27 - CVE-2026-1472 published to NVD
2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-1472

Vulnerability Analysis

The vulnerability is an out-of-band SQL injection affecting the txAny parameter in the evaluacion_competencias_autoeval_list.aspx page. Out-of-band SQL injection differs from classic in-band injection because the application does not return query results in the HTTP response. Instead, attackers force the database engine to initiate outbound network requests, embedding stolen data inside DNS lookups or HTTP callbacks to an attacker-controlled server. This technique is effective against applications that suppress error messages and do not reflect query output to the client.

Exploitation targets confidentiality, allowing extraction of arbitrary records from the underlying database. Because the affected endpoint accepts requests over the network without authentication, any attacker reachable to the web application can attempt exploitation. The attack complexity is low and no privileges are required.

Root Cause

The application concatenates user-controlled input from the txAny parameter directly into SQL queries without parameterization or proper input sanitization. The database driver permits functions that perform external network operations, enabling exfiltration even when query results are not rendered to the response.

Attack Vector

An unauthenticated remote attacker sends an HTTP request to /evaluacion_competencias_autoeval_list.aspx containing a malicious txAny value. The payload uses database functions that trigger DNS or HTTP requests to an attacker-controlled domain, with sensitive data appended as subdomains or URI components. The attacker then captures exfiltrated content from their DNS or HTTP listener.

No verified public proof-of-concept code is available. Refer to the INCIBE SQL Injection Notice for additional technical details.

Detection Methods for CVE-2026-1472

Indicators of Compromise

Unexpected outbound DNS queries from database server hosts to unfamiliar external domains, especially with long randomized subdomains.
HTTP requests to /evaluacion_competencias_autoeval_list.aspx containing SQL keywords, concatenation operators, or function names such as xp_dirtree, UTL_HTTP, or LOAD_FILE inside the txAny parameter.
Web server logs showing repeated requests to the affected endpoint with abnormally long or encoded parameter values.

Detection Strategies

Deploy web application firewall (WAF) rules that inspect the txAny parameter for SQL metacharacters and known OOB exfiltration function names.
Correlate database server egress traffic with web application request logs to identify anomalous DNS or HTTP callbacks initiated by the SQL engine.
Hunt for SQL injection patterns in IIS or .NET application logs using OCSF-normalized telemetry.

Monitoring Recommendations

Enable database query logging and review queries originating from the EDD application for unusual function calls.
Restrict and monitor outbound network access from database servers; alert on any unexpected DNS resolution requests.
Forward web access logs and database audit logs to a centralized analytics platform for continuous detection of injection signatures.

How to Mitigate CVE-2026-1472

Immediate Actions Required

Contact Quatuor (Gabinete Técnico de Programación) to obtain remediation guidance and any available patched build of the EDD application.
Place the affected /evaluacion_competencias_autoeval_list.aspx endpoint behind WAF rules that block SQL injection patterns targeting the txAny parameter.
Block outbound DNS and HTTP traffic from the database server to untrusted destinations to neutralize OOB exfiltration channels.

Patch Information

At the time of publication, no vendor advisory URL or fixed version is listed in the NVD record. Affected organizations should consult the INCIBE SQL Injection Notice and contact the vendor directly for a remediation timeline.

Workarounds

Apply parameterized queries or stored procedures in any custom integrations that touch the affected endpoint.
Restrict access to the EDD application to trusted internal networks or VPN users until a vendor patch is available.
Disable or remove database functions that permit outbound network operations (for example, xp_cmdshell, xp_dirtree, or equivalent) where not required.

bash

# Example egress restriction on database host (Linux iptables)
iptables -A OUTPUT -p udp --dport 53 -d <trusted-dns-server> -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner mssql -j DROP