CRITICALCVE-2026-1478Published Modified CNA INCIBE
CVE-2026-1478: Out-of-band SQL injection in Quatuor Performance Evaluation
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' and 'Id_evaluacion’ in ‘/evaluacion_hca_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- 11/12/2025
- Affected Products
- 1
Fix available
11/12/2025
Affected packages
- Quatuor / Evaluación de Desempeño (EDD)< 11/12/2025 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:NReferences