CVE-2026-1428

HighRCE

Published: 26 January 2026

Published

26 January 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1428 is a high-severity OS Command Injection (CWE-78) vulnerability in Wellchoose Single Sign-On Portal System. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection in the WellChoose SSO portal by validating and sanitizing authenticated user inputs before OS command execution.

SI-9 Information Input Restrictions good match

prevent

Restricts classes of inputs to the SSO system, blocking special characters and payloads that enable arbitrary OS command injection.

SI-2 Flaw Remediation good match

prevent

Remediates the specific OS command injection flaw (CVE-2026-1428) through timely patching or vendor-recommended fixes.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

OS command injection in a remote SSO portal enables exploitation of remote services (T1210) to achieve arbitrary command execution via OS interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.

Deeper analysisAI

CVE-2026-1428, published on 2026-01-26, is an OS Command Injection vulnerability (CWE-78) affecting the Single Sign-On Portal System developed by WellChoose. The flaw enables authenticated remote attackers to inject arbitrary OS commands, which are then executed on the server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts across confidentiality, integrity, and availability.

Attackers require low privileges (PR:L) and authentication to exploit the vulnerability remotely over the network, with no user interaction needed. Exploitation allows them to execute arbitrary operating system commands on the server, potentially enabling full control over the affected system, data exfiltration, modification of critical files, or disruption of services.

Advisories from TWCERT detail mitigation strategies and are available at https://www.twcert.org.tw/en/cp-139-10655-59160-2.html and https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html.