Description
Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.
Published: 2026-01-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via OS command injection
Action: Immediate patch
AI Analysis

Impact

The single sign‑on portal system by WellChoose is vulnerable to OS command injection. Authenticated remote attackers can inject arbitrary operating‑system commands, leading to execution on the server and compromising confidentiality, integrity, and availability. The weakness is identified as CWE‑78.

Affected Systems

All versions of the WellChoose single sign‑on portal system are affected. The vendor recommends upgrading to version IFTOP_P4_181 or later to remediate the vulnerability.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, but attackers would require authenticated access to the system, which is a likely attack vector based on the description. If exploited, the injected commands would be executed with the privileges of the underlying service, potentially giving full control over the affected server.

Generated by OpenCVE AI on April 18, 2026 at 02:42 UTC.

Remediation

Vendor Solution

Update to version IFTOP_P4_181 or later.

OpenCVE Recommended Actions

  • Update the WellChoose single sign‑on portal system to version IFTOP_P4_181 or later as recommended by the vendor.
  • Configure the application to run with the least privilege necessary, limiting the permissions of the account under which the portal operates.
  • Disable or restrict any unused features or interfaces that construct system commands, and validate or sanitize all user inputs that may influence command execution.

Generated by OpenCVE AI on April 18, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wellchoose:single_sign-on_portal_system:*:*:*:*:*:*:*:*

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wellchoose
Wellchoose single Sign-on Portal System
Vendors & Products Wellchoose
Wellchoose single Sign-on Portal System

Mon, 26 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description Organization Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.
Title WellChoose|Organization Portal System - OS Command Injection WellChoose|Single Sign-On Portal System - OS Command Injection

Mon, 26 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
Description Organization Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.
Title WellChoose|Organization Portal System - OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wellchoose Single Sign-on Portal System
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-01-26T14:07:52.296Z

Reserved: 2026-01-26T07:21:57.296Z

Link: CVE-2026-1427

cve-icon Vulnrichment

Updated: 2026-01-26T14:07:49.073Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T08:16:00.753

Modified: 2026-03-11T22:51:20.227

Link: CVE-2026-1427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:45:27Z

Weaknesses