CVE-2026-1481 in Evaluación de Desempeño
Summary
by MITRE • 01/27/2026
An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter 'Id_usuario' in '/evaluacion_objetivos_anyo_sig_ver_auto.aspx', could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/11/2026
The vulnerability identified as CVE-2026-1481 represents a critical out-of-band sql injection flaw within the Performance Evaluation application developed by Gabinete Técnico de Programación. This particular weakness manifests in the parameter 'Id_usuario' within the '/evaluacion_objetivos_anyo_sig_ver_auto.aspx' endpoint, creating a significant security risk that directly impacts the confidentiality of stored database information. The out-of-band nature of this vulnerability distinguishes it from traditional sql injection attacks, as it enables attackers to extract data through external communication channels rather than relying on direct response mechanisms from the vulnerable application.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the application's data handling processes. When the application processes the 'Id_usuario' parameter without proper security controls, it fails to distinguish between legitimate user input and malicious sql payloads. This absence of proper parameter validation creates an exploitable condition where attacker-controlled sql commands can be executed within the database context. The vulnerability specifically targets the application's database interaction layer, where user-supplied identifiers are directly incorporated into sql query construction without appropriate escaping or parameterization mechanisms.
From an operational impact perspective, this vulnerability poses severe risks to the confidentiality and integrity of sensitive organizational data. Attackers exploiting this flaw can potentially extract complete database schemas, user credentials, personal information, and other confidential data through external channels such as dns requests, http callbacks, or file system operations. The out-of-band methodology eliminates the need for the application to return extracted data directly, making detection more challenging and allowing attackers to bypass traditional network monitoring and logging mechanisms. This capability significantly increases the potential damage scope and makes the vulnerability particularly dangerous in environments where data protection and privacy regulations are paramount.
The vulnerability aligns with CWE-643, which specifically addresses improper neutralization of data within sql queries, and demonstrates characteristics consistent with ATT&CK technique T1071.004 for application layer protocol manipulation. Organizations affected by this vulnerability should implement immediate mitigations including input validation, parameterized queries, and proper database access controls. The recommended defensive measures include implementing strict input sanitization for all user-supplied parameters, deploying web application firewalls, and establishing monitoring protocols to detect unusual external communication patterns. Additionally, regular security assessments and penetration testing should be conducted to identify similar vulnerabilities across the application infrastructure, ensuring comprehensive protection against evolving threat landscapes while maintaining compliance with industry security standards and regulatory requirements.