CVE-2026-1472 identifies a critical SQL injection vulnerability classified under CWE-89 in the Quatuor Evaluación de Desempeño (EDD) application, a performance evaluation tool developed by Gabinete Técnico de Programación. The vulnerability is an out-of-band (OOB) SQL injection located in the 'txAny' parameter of the '/evaluacion_competencias_autoeval_list.aspx' page. Unlike traditional in-band SQLi, OOB SQLi allows attackers to exfiltrate data through external channels such as DNS or HTTP requests initiated by the database server, bypassing direct response filtering by the application. This vulnerability affects all versions of the product and requires no authentication or user interaction, making it highly exploitable remotely. The CVSS 4.0 score of 9.3 reflects its critical severity, with network attack vector, low attack complexity, no privileges or user interaction needed, and high impact on confidentiality and integrity. The vulnerability enables attackers to extract sensitive information from the backend database, potentially exposing confidential employee evaluations or organizational data. No patches or exploit code are currently publicly available, but the risk remains significant due to the nature of the flaw and the widespread use of the affected software in performance management contexts.

For European organizations, exploitation of this vulnerability could lead to severe confidentiality breaches involving sensitive HR and performance evaluation data, potentially violating GDPR and other data protection regulations. The integrity of evaluation data could also be compromised, undermining trust in performance management processes. The out-of-band nature of the attack complicates detection, increasing the risk of prolonged undetected data exfiltration. Organizations relying on Quatuor EDD for employee assessments or compliance reporting may face reputational damage, legal penalties, and operational disruptions. The vulnerability's ease of exploitation without authentication or user interaction broadens the attack surface, making even perimeter defenses insufficient if internal monitoring is lacking. Additionally, the exposure of sensitive internal data could be leveraged for further attacks such as social engineering or insider threats.

Immediate mitigation should focus on implementing strict input validation and sanitization for the 'txAny' parameter to prevent injection of malicious SQL commands. Developers should adopt parameterized queries or prepared statements to eliminate direct concatenation of user input into SQL commands. Network-level controls such as egress filtering should be enforced to block unauthorized outbound connections that could be used for OOB data exfiltration. Organizations should monitor DNS and HTTP traffic for anomalies indicative of OOB SQLi exploitation attempts. Conducting a thorough code review and penetration testing focused on SQL injection vectors is recommended. Since no patches are currently available, consider isolating or restricting access to the affected application until a vendor fix is released. Logging and alerting mechanisms should be enhanced to detect suspicious activities related to database queries and outbound network requests. Finally, ensure that all backups and sensitive data repositories are secured and regularly audited.