CVE-2026-1474 is an out-of-band (OOB) SQL injection vulnerability identified in the Quatuor Evaluación de Desempeño (EDD) application, a performance evaluation tool developed by Gabinete Técnico de Programación. The vulnerability resides in the 'Id_usuario' and 'Id_evaluacion' parameters of the '/evaluacion_inicio.aspx' page, which fail to properly neutralize special characters used in SQL commands, allowing attackers to inject malicious SQL payloads. Unlike traditional in-band SQL injection, this OOB technique enables attackers to exfiltrate sensitive data through external channels, such as DNS or HTTP requests initiated by the database server, without the application directly returning the data in its responses. This stealthy method complicates detection and increases the risk of data leakage. The vulnerability affects all versions of the product, indicating a systemic flaw in input handling. The CVSS 4.0 score of 9.3 reflects a critical severity level, with attack vector being network-based, no required privileges or user interaction, and high impact on confidentiality and integrity. Although no public exploits are currently known, the ease of exploitation and the critical nature of the data handled by performance evaluation systems make this a significant threat. The vulnerability was assigned by INCIBE and published on January 27, 2026. The lack of available patches at the time of publication necessitates immediate mitigation efforts by affected organizations.

For European organizations, especially those in public administration, human resources, and performance management sectors using Quatuor Evaluación de Desempeño (EDD), this vulnerability poses a severe risk to the confidentiality of sensitive employee and organizational data. Successful exploitation could lead to unauthorized disclosure of personal information, evaluation results, and potentially other linked sensitive data stored in the backend databases. This could result in reputational damage, regulatory penalties under GDPR due to data breaches, and loss of trust among employees and stakeholders. The out-of-band nature of the attack makes detection more difficult, increasing the window of exposure. Additionally, the integrity of evaluation data could be compromised, affecting decision-making processes. The vulnerability’s network-based attack vector and lack of required authentication mean that attackers can exploit it remotely and anonymously, increasing the threat surface. Given the criticality of the affected systems in managing personnel performance, disruption or data compromise could also indirectly impact organizational operations and compliance with labor regulations.

1. Immediate implementation of input validation and sanitization on the 'Id_usuario' and 'Id_evaluacion' parameters to reject or properly encode special SQL characters. 2. Refactor the application code to use parameterized queries or prepared statements to prevent SQL injection. 3. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns, especially targeting the vulnerable endpoint. 4. Monitor outbound network traffic for unusual DNS or HTTP requests that could indicate out-of-band data exfiltration attempts. 5. Conduct thorough code reviews and security testing (including dynamic and static analysis) focusing on all user inputs in the application. 6. Isolate the database server from direct internet access and restrict outbound connections to only necessary services to limit exfiltration channels. 7. Prepare incident response plans specific to SQL injection attacks and train staff accordingly. 8. Engage with the vendor for patches or updates and apply them promptly once available. 9. Consider temporary disabling or restricting access to the vulnerable functionality if immediate patching is not feasible. 10. Maintain up-to-date backups and ensure they are securely stored to enable recovery in case of compromise.