Vulnerability Summary

TVN Number: TVN-202601010 CVE Identifiers: CVE-2026-1427, CVE-2026-1428, CVE-2026-1429 Highest CVSS Score: 8.8 (High)

Affected Product

Vendor: WellChoose Product: Single Sign-On Portal System Affected Versions: Prior to IFTOP_P4_181 Patched Version: IFTOP_P4_181 or later

Vulnerability Details

CVE-2026-1427: OS Command Injection

CVSS Score: 8.8 (High)

The system allows authenticated remote attackers to inject arbitrary OS commands and execute them on the server.

CVE-2026-1428: OS Command Injection

CVSS Score: 8.8 (High)

A second OS command injection flaw permits authenticated remote attackers to inject arbitrary OS commands and execute them on the server.

CVE-2026-1429: Reflected Cross-Site Scripting

CVSS Score: 5.4 (Medium)

Reflected XSS vulnerability permitting authenticated remote attackers to execute arbitrary JavaScript codes in user’s browser through phishing attacks.

Impact

The two OS command injection vulnerabilities pose critical risk, allowing authenticated attackers to gain complete control over the server by executing arbitrary commands. The XSS vulnerability enables session hijacking and credential theft through social engineering attacks.

Remediation

Update to IFTOP_P4_181 or later immediately to address all three vulnerabilities.

Timeline

• Public Disclosure: January 26, 2026

Credits

• Discovered by: YuCheng Lin (CHT Security)

References

• TWCERT/CC Advisory
• CVE-2026-1427
• CVE-2026-1428
• CVE-2026-1429

Metadata

• Source: TWCERT/CC
• Feed ID: rss-139
• Language: English
• Confidence: High