CVE-2026-1483

Severity CVSS v4.0:

CRITICAL

Type:

CWE-89 SQL Injection

Publication date:

27/01/2026

Last modified:

27/01/2026

Description

An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter &#39;Id_usuario&#39; in &#39;/evaluacion_objetivos_ver_auto.aspx&#39;, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 9.30 CRITICAL
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): Low
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None

Base Score 4.0

9.30

Severity 4.0

CRITICAL

References to Advisories, Solutions, and Tools

https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation