CVE-2026-1473
Published: 27 January 2026
Summary
CVE-2026-1473 is a critical-severity SQL Injection (CWE-89) vulnerability in Quatuor Evaluacion De Desempeno. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1473 is an out-of-band SQL injection vulnerability (OOB SQLi), classified under CWE-89, in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. The issue affects the 'Id_usuario' parameter in the '/evaluacion_competencias_evalua.aspx' endpoint, where attackers can inject payloads to extract sensitive information from the database through external channels, bypassing direct data return by the application and compromising confidentiality.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), making it exploitable over the network by unauthenticated attackers with low attack complexity and no user interaction required. Exploitation enables remote adversaries to retrieve confidential database contents via out-of-band techniques, such as DNS or HTTP requests, without impacting integrity or availability.
Mitigation guidance is available in the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4745
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario’ in '/evaluacion_competencias_evalua.aspx', could allow an attacker to extract sensitive information from…
more
the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB SQL injection in unauthenticated web endpoint directly enables remote exploitation of a public-facing application for database data extraction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by validating and sanitizing the 'Id_usuario' parameter to reject malicious payloads before database execution.
SI-2 ensures timely flaw remediation through patching or code fixes for the specific SQL injection vulnerability in the EDD application.
SI-9 restricts the 'Id_usuario' parameter to safe, allowlisted values such as numeric user IDs, blocking SQL injection attempts.