CVE-2026-1477 identifies a critical SQL injection vulnerability classified under CWE-89 in the Quatuor Evaluación de Desempeño (EDD) application, a performance evaluation tool developed by Gabinete Técnico de Programación. The vulnerability is an out-of-band (OOB) SQL injection affecting the 'Id_usuario' and 'Id_evaluacion' parameters in the '/evaluacion_competencias_evalua_old.aspx' page. OOB SQLi allows attackers to execute crafted SQL commands that do not return data directly through the application’s normal response channels but instead exfiltrate data via alternative communication paths, such as DNS or HTTP requests to attacker-controlled servers. This technique makes detection harder and increases the stealth of attacks. The vulnerability affects all versions of the product, indicating a systemic flaw in input sanitization and query construction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality and integrity, with limited impact on availability. No patches or known exploits are currently reported, but the risk is substantial due to the criticality and ease of exploitation. The vulnerability stems from improper neutralization of special SQL elements, allowing injection of malicious SQL code that can manipulate database queries to extract sensitive information such as user credentials, evaluation data, or internal configurations. Given the nature of the application—used for performance evaluations—compromise could lead to exposure of personal and organizational sensitive data, potentially violating data protection regulations.

For European organizations, exploitation of this vulnerability could lead to significant breaches of confidentiality, exposing sensitive employee performance data and potentially other internal information stored in the database. This could result in reputational damage, legal liabilities under GDPR, and operational disruptions if data integrity is compromised. Public sector entities and large enterprises using Quatuor EDD for HR management are particularly at risk, as attackers could leverage the vulnerability to conduct espionage, data theft, or prepare for further attacks by gaining insights into organizational structures. The out-of-band nature of the SQL injection complicates detection and response, increasing the window of exposure. Additionally, the lack of authentication requirements means that attackers can exploit the vulnerability remotely without credentials, broadening the attack surface. The critical severity score underscores the potential for widespread impact if exploited at scale, especially in countries with higher adoption of the affected software.

Immediate mitigation should include implementing strict input validation and sanitization on the 'Id_usuario' and 'Id_evaluacion' parameters to reject malicious payloads. Developers must refactor database queries to use parameterized statements or prepared queries to prevent injection. Network-level controls should monitor and restrict unusual outbound DNS or HTTP requests that could indicate OOB data exfiltration attempts. Organizations should conduct thorough code reviews and penetration testing focused on SQL injection vectors in the affected application modules. Since no official patches are currently available, applying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns can provide interim protection. Logging and alerting mechanisms should be enhanced to detect anomalies in database query patterns and external communications. Finally, organizations should prepare incident response plans specific to data exfiltration scenarios and ensure compliance with GDPR notification requirements in case of data breaches.