{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1478", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-01-27T09:25:55.224Z", "datePublished": "2026-01-27T16:30:35.628Z", "dateUpdated": "2026-03-24T15:40:06.500Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-03-24T15:40:06.500Z"}, "title": "Out-of-band SQL injection in Quatuor Performance Evaluation", "datePublic": "2026-01-27T16:19:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "affected": [{"vendor": "Quatuor", "product": "Evaluaci\u00f3n de Desempe\u00f1o (EDD)", "versions": [{"status": "affected", "version": "0", "lessThan": "11/12/2025", "versionType": "date"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quatuor:evaluaci_n_de_desempe_o_edd_:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "11_12_2025"}]}]}], "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete T\u00e9cnico de Programaci\u00f3n. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion\u2019 in \u2018/evaluacion_hca_evalua.aspx\u2019, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete T\u00e9cnico de Programaci\u00f3n. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion\u2019 in \u2018/evaluacion_hca_evalua.aspx\u2019, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information."}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable."}]}], "credits": [{"lang": "en", "value": "\u00d3scar Atienza Vendrell", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:58:32.287599Z", "id": "CVE-2026-1478", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T19:09:00.278Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1478", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T18:58:32.287599Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T19:08:52.462Z"}}], "cna": {"title": "Out-of-band SQL injection in Quatuor Performance Evaluation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "\u00d3scar Atienza Vendrell"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Quatuor", "product": "Evaluaci\u00f3n de Desempe\u00f1o (EDD)", "versions": [{"status": "affected", "version": "0", "lessThan": "11/12/2025", "versionType": "date"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.", "supportingMedia": [{"type": "text/html", "value": "The vulnerabilities have been resolved in the latest version of the application, released on November 12, 2025, and are no longer exploitable.", "base64": false}]}], "datePublic": "2026-01-27T16:19:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete T\u00e9cnico de Programaci\u00f3n. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion\u2019 in \u2018/evaluacion_hca_evalua.aspx\u2019, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.", "supportingMedia": [{"type": "text/html", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete T\u00e9cnico de Programaci\u00f3n. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion\u2019 in \u2018/evaluacion_hca_evalua.aspx\u2019, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:quatuor:evaluaci_n_de_desempe_o_edd_:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "11_12_2025", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-03-24T15:40:06.500Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1478", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:40:06.500Z", "dateReserved": "2026-01-27T09:25:55.224Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2026-01-27T16:30:35.628Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*", "matchCriteriaId": "66ECBB1A-4822-4186-9C8B-49740C8B52A4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete T\u00e9cnico de Programaci\u00f3n. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion\u2019 in \u2018/evaluacion_hca_evalua.aspx\u2019, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information."}], "id": "CVE-2026-1478", "lastModified": "2026-02-10T20:21:25.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2026-01-27T17:16:11.277", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:16:34.978779+00:00", "value": {"mitigation_remediation": ["Upgrade the application to the latest release made available on November\u00a012,\u00a02025, which contains the fix for this OOB SQL injection. ", "Implement explicit input validation for the \u2018Id_usuario\u2019 and \u2018Id_evaluacion\u2019 parameters, allowing only numeric values and rejecting any non\u2011numeric payloads. ", "Deploy a web application firewall or similar security layer to detect and block anomalous SQL queries that attempt to exfiltrate data to external hosts."], "summary": {"action": "Patch immediately", "impact": "Remote data exfiltration via out\u2011of\u2011band SQL injection"}, "threat_synthesis": {"affected_systems": "Quatuor: Evaluaci\u00f3n de Desempe\u00f1o (EDD) is the product affected. The CVE does not list specific full\u2011patch versions, but the vendor has released an updated version on November\u00a012,\u00a02025 that resolves the issue. The vulnerability applies to the base application prior to that release.", "description_and_impact": "The vulnerability is an out\u2011of\u2011band SQL injection (OOB SQLi) that occurs when an attacker supplies specially crafted input in the parameters \u2018Id_usuario\u2019 or \u2018Id_evaluacion\u2019 on the /evaluacion_hca_evalua.aspx page of the Quatuor performance evaluation application. Because the application does not filter or encode the data, the attacker can force the database to send query results to an external location controlled by the attacker, thereby exfiltrating sensitive information without the application returning it directly to the user. The weakness is a classic SQL injection flaw (CWE\u201189) that compromises the confidentiality of stored data.", "risk_and_exploitability": "The CVSS score of 9.3 indicates high severity. The EPSS score of less than 1% suggests that exploitation attempts are very rare at present, and the vulnerability is not noted in the CISA KEV catalog. Based on the description, the likely attack vector is remote via the public web interface, with an attacker needing only to craft a request to the identified endpoint. The attack requires the application to be reachable and the input parameters not to be otherwise protected by authentication or validation. Once triggered, the attacker can acquire database contents through the OOB channel."}}}}, "created": "2026-01-27T20:16:18.705184+00:00", "updated": "2026-04-16T07:30:28.596952+00:00", "vendors": ["quatuor", "quatuor$PRODUCT$evaluacion_de_desempeno"]}