CVE-2026-1478: Quatuor Evaluacion SQLi Vulnerability

CVE-2026-1478 Overview

CVE-2026-1478 is an out-of-band SQL injection (OOB SQLi) vulnerability in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación (Quatuor). The flaw resides in the Id_usuario and Id_evaluacion parameters of the /evaluacion_hca_evalua.aspx endpoint. Attackers can exploit these parameters to exfiltrate sensitive database content through external channels without the application returning data directly in HTTP responses. The vulnerability is tracked under CWE-89: Improper Neutralization of Special Elements used in an SQL Command. The issue is exploitable remotely without authentication or user interaction.

Critical Impact
Unauthenticated remote attackers can extract sensitive data from the backend database via out-of-band channels, compromising the confidentiality of all stored records.

Affected Products

Quatuor Evaluacion de Desempeno (Performance Evaluation / EDD application)
Vendor: Gabinete Técnico de Programación (Quatuor)
Vulnerable endpoint: /evaluacion_hca_evalua.aspx

Discovery Timeline

2026-01-27 - CVE-2026-1478 published to the National Vulnerability Database
2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-1478

Vulnerability Analysis

The Performance Evaluation application fails to sanitize user-supplied input passed to the Id_usuario and Id_evaluacion parameters of /evaluacion_hca_evalua.aspx. These parameters are concatenated directly into backend SQL statements, allowing arbitrary query manipulation. Because the application does not reflect query results in HTTP responses, the flaw manifests as an out-of-band SQL injection rather than a classic in-band or error-based variant.

In out-of-band SQL injection, attackers force the database to initiate outbound network connections, such as DNS lookups or HTTP requests, that carry exfiltrated data to attacker-controlled infrastructure. This technique is effective when the application suppresses query output or error messages. The confidentiality impact is high because attackers can iteratively extract table structures, credentials, and sensitive evaluation records.

Root Cause

The root cause is the absence of parameterized queries or prepared statements when handling the Id_usuario and Id_evaluacion request parameters. User input is concatenated into dynamic SQL strings without type validation or input filtering, satisfying the conditions described in CWE-89.

Attack Vector

An unauthenticated remote attacker sends crafted HTTP requests to /evaluacion_hca_evalua.aspx with malicious payloads in the Id_usuario or Id_evaluacion parameters. Payloads typically invoke database functions that trigger DNS or HTTP callbacks containing query results. The attacker monitors a controlled DNS or HTTP listener to reassemble the exfiltrated data. No user interaction or prior authentication is required, and the attack complexity is low.

No public proof-of-concept exploit is currently published. Refer to the INCIBE Notice on Out-of-Band SQL Injection in Quatuor Performance Evaluation for the official advisory.

Detection Methods for CVE-2026-1478

Indicators of Compromise

Unexpected outbound DNS queries from the database server to external or unrecognized domains, especially long subdomain labels containing hex or base64 strings.
Outbound HTTP or SMB connections originating from the database host to attacker-controlled infrastructure.
Web server logs showing requests to /evaluacion_hca_evalua.aspx with abnormal Id_usuario or Id_evaluacion values containing SQL keywords, single quotes, or stacked statements.

Detection Strategies

Deploy a Web Application Firewall (WAF) rule set that inspects the Id_usuario and Id_evaluacion parameters for SQL syntax, comment markers, and known OOB payloads such as xp_dirtree, LOAD_FILE, or UTL_HTTP.
Correlate web access logs with database egress traffic to identify timing patterns consistent with OOB exfiltration.
Enable database query auditing and alert on dynamically constructed statements containing characters from untrusted input.

Monitoring Recommendations

Monitor egress traffic from database and application servers, blocking unsanctioned DNS resolvers and outbound ports.
Alert on HTTP 200 responses to /evaluacion_hca_evalua.aspx accompanied by request bodies containing SQL metacharacters.
Review IIS or ASP.NET logs daily for parameter values exceeding expected numeric length or format.

How to Mitigate CVE-2026-1478

Immediate Actions Required

Restrict network access to the EDD application until a vendor patch is applied, limiting reachability to trusted internal networks or VPN users.
Block outbound DNS and HTTP traffic from database servers to the public internet, removing the channel required for OOB exfiltration.
Deploy WAF rules that reject requests where Id_usuario or Id_evaluacion contain non-numeric characters.

Patch Information

No vendor patch URL is currently listed in the available references. Administrators should contact Gabinete Técnico de Programación (Quatuor) directly and consult the INCIBE-CERT advisory for vendor communication and remediation status.

Workarounds

Enforce strict input validation at a reverse proxy, allowing only integer values for Id_usuario and Id_evaluacion parameters.
Apply least-privilege principles to the database account used by the application, removing rights to execute network-related functions such as xp_cmdshell, xp_dirtree, or UTL_HTTP.
Configure host-based firewall rules on database servers to deny outbound connections except to required application hosts.

bash

# Example egress restriction on a Linux database host using iptables
iptables -A OUTPUT -p udp --dport 53 -d 10.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP