Description
IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server.
Published: 2026-03-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability in the IFTOP application, identified as a Local File Inclusion flaw (CWE-98), allows unauthenticated remote attackers to execute arbitrary code on the server. The flaw permits inclusion of arbitrary files, enabling the attacker to run code with the privileges of the web server process. This results in a full compromise of confidentiality, integrity, and availability for the affected system. Key detail from vendor description: "IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server." Key detail from the CWE list: "CWE-98 (Local File Inclusion)."

Affected Systems

Affected systems are those built on WellChoose's IFTOP software. All installations running versions earlier than IFTOP_P4_181 are vulnerable. The vendor recommends updating to IFTOP_P4_181 or a later release to eliminate the flaw. Key detail from known solution: "Update to verison IFTOP_P4_181 or later." No specific version mapping is provided beyond this upgrade path.

Risk and Exploitability

The CVSS score of 9.3 signals a critical severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, indicating it has not yet been widely exploited in known attacks. Key detail from scores: "CVSS Score: 9.3, EPSS Score: < 1%, KEV: not listed in KEV." Attackers can exploit the flaw over the network without authentication, borrowing the application’s privileges to execute arbitrary code. Consequently, the risk to affected deployments remains high if not patched.

Generated by OpenCVE AI on March 17, 2026 at 20:45 UTC.

Remediation

Vendor Solution

Update to verison IFTOP_P4_181 or later.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade IFTOP to version IFTOP_P4_181 or later.

Generated by OpenCVE AI on March 17, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Wellchoose organization Portal System
CPEs cpe:2.3:a:wellchoose:organization_portal_system:*:*:*:*:*:*:*:*
Vendors & Products Wellchoose organization Portal System

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 07:00:00 +0000

Type Values Removed Values Added
Description IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server.
Title WellChoose|IFTOP - Local File Inclusion
First Time appeared Wellchoose
Wellchoose iftop
Weaknesses CWE-98
CPEs cpe:2.3:a:wellchoose:iftop:*:*:*:*:*:*:*:*
Vendors & Products Wellchoose
Wellchoose iftop
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wellchoose Iftop Organization Portal System
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-03-11T13:55:01.558Z

Reserved: 2026-03-09T03:02:01.033Z

Link: CVE-2026-3826

cve-icon Vulnrichment

Updated: 2026-03-11T13:54:24.790Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T07:17:00.207

Modified: 2026-03-17T19:27:21.680

Link: CVE-2026-3826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:40Z

Weaknesses