CVE-2026-1481 identifies a critical SQL injection vulnerability classified under CWE-89 in the Quatuor Evaluación de Desempeño (EDD) application, a performance evaluation tool developed by Gabinete Técnico de Programación. The vulnerability is an out-of-band (OOB) SQL injection located in the 'Id_usuario' parameter of the '/evaluacion_objetivos_anyo_sig_ver_auto.aspx' endpoint. Unlike traditional in-band SQL injection, OOB SQLi allows attackers to extract data through external communication channels, such as DNS or HTTP requests initiated by the database server, bypassing direct response filtering by the application. This flaw enables an unauthenticated attacker to execute arbitrary SQL commands remotely, compromising the confidentiality and integrity of sensitive data stored in the backend database. The vulnerability affects all versions of the product, indicating a systemic issue in input sanitization and query construction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N) reflects network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality and integrity. No patches are currently available, and no known exploits have been reported, but the critical severity demands urgent attention. The vulnerability was assigned and published by INCIBE, Spain’s national cybersecurity institute, suggesting regional relevance. The lack of direct data return in the application response complicates detection but does not reduce the risk, as attackers can leverage OOB channels to exfiltrate data stealthily.

For European organizations, especially those in Spain and surrounding countries where Quatuor EDD is likely deployed, this vulnerability poses a significant risk to the confidentiality of employee performance data and potentially other sensitive organizational information stored in the database. Exploitation could lead to unauthorized data disclosure, undermining privacy compliance obligations such as GDPR. Integrity of evaluation data could also be compromised, affecting HR decisions and organizational trust. The out-of-band nature of the attack makes detection more difficult, increasing the risk of prolonged undetected breaches. Additionally, the vulnerability could be leveraged as a foothold for further network intrusion or lateral movement within corporate environments. Public sector entities and private companies relying on this software for performance management are particularly vulnerable, potentially facing reputational damage and regulatory penalties if exploited.

Immediate mitigation should focus on implementing strict input validation and sanitization for the 'Id_usuario' parameter to prevent injection of malicious SQL code. Employing parameterized queries or prepared statements in the application code is critical to eliminate direct concatenation of user input into SQL commands. Network-level monitoring should be enhanced to detect unusual outbound traffic patterns indicative of OOB data exfiltration, such as unexpected DNS or HTTP requests originating from database servers. Organizations should conduct thorough code reviews and security testing of the affected application components. Since no official patches are currently available, consider deploying web application firewalls (WAFs) with custom rules to block suspicious payloads targeting the vulnerable parameter. Additionally, restrict database permissions to the minimum necessary to limit the impact of any successful injection. Finally, maintain heightened monitoring and incident response readiness to quickly identify and respond to exploitation attempts.