CVE-2026-1477

Name of the Vulnerable Software and Affected Versions Performance Evaluation (EDD) application (affected versions not specified)

Description An out-of-band SQL injection flaw exists in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploitation of this flaw could allow an attacker to extract sensitive information from the database through external channels. The vulnerability is present in the Id usuario and Id evaluacion parameters within the '/evaluacion competencias evalua old.aspx' API endpoint. This allows for data exfiltration without the application directly returning the information, potentially compromising data confidentiality. An out-of-band SQL injection (OOB SQLi) is a technique where an attacker leverages the database server's ability to make network requests to an attacker-controlled server, enabling data exfiltration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.