Noam Moshe

30 exploits Active since Sep 2019
CVE-2026-20742 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the templates route.
CVSS 8.0
CVE-2026-20764 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input via the device hostname configuration which is later processed during system setup, resulting in remote code execution.
CVSS 8.0
CVE-2026-20797 WRITEUP MEDIUM WRITEUP
Copeland XWEB 300D PRO, 500D PRO, 500B PRO < 1.12.1 - Unauthenticated Stack-based Buffer Overflow
A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corruption and a termination of the program.
CVSS 4.3
CVE-2026-20902 WRITEUP HIGH WRITEUP
XWEB Pro <=1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route.
CVSS 8.0
CVE-2026-20910 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code execution.
CVSS 8.0
CVE-2026-21389 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the request body sent to the contacts import route.
CVSS 8.0
CVE-2026-21718 WRITEUP CRITICAL WRITEUP
Copeland XWEB Pro <1.12.1 - Auth Bypass
An authentication bypass vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, enabling any attackers to bypass the authentication requirement and achieve pre-authenticated code execution on the system.
CVSS 10.0
CVE-2026-22877 WRITEUP LOW WRITEUP
Copeland XWEB 300D/500D/500B Pro Firmware < 1.12.1 - Unauthenticated Arbitrary File Read
An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack.
CVSS 3.7
CVE-2026-23702 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in the API V1 route.
CVSS 8.0
CVE-2026-24452 WRITEUP HIGH WRITEUP
XWEB Pro <=1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted template file to the devices route.
CVSS 8.0
CVE-2026-24517 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route.
CVSS 8.0
CVE-2026-24663 WRITEUP CRITICAL WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to the libraries installation route and injecting malicious input into the request body.
CVSS 9.0
CVE-2026-24689 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update apply action.
CVSS 8.0
CVE-2026-24695 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into OpenSSL argument fields within requests sent to the utility route, leading to remote code execution.
CVSS 8.0
CVE-2026-25037 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously crafted LCD state which is later processed during system setup, enabling remote code execution.
CVSS 8.0
CVE-2026-25085 WRITEUP HIGH WRITEUP
Copeland XWEB Pro <1.12.1 - Auth Bypass
A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, in which an unexpected return value from the authentication routine is later on processed as a legitimate value, resulting in an authentication bypass.
CVSS 8.6
CVE-2026-25105 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into parameters of the Modbus command tool in the debug route.
CVSS 8.0
CVE-2026-25109 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route.
CVSS 8.0
CVE-2026-25111 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the restore route.
CVSS 8.0
CVE-2026-25195 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted firmware update file via the firmware update route.
CVSS 8.0
CVE-2026-25196 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the Wi-Fi SSID and/or password fields can lead to remote code execution when the configuration is processed.
CVSS 8.0
CVE-2026-25721 WRITEUP HIGH WRITEUP
XWEB Pro <1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the server username and/or password fields of the restore action in the API V1 route.
CVSS 8.0
CVE-2026-3037 WRITEUP HIGH WRITEUP
XWEB Pro <=1.12.1 - Command Injection
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is later processed during system setup, leading to remote code execution.
CVSS 8.0
CVE-2025-3232 WRITEUP HIGH WRITEUP
Mitsubishi Electric Europe smartRTU < 3.37 - Unauthenticated Remote Code Execution via API Route
A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands.
CVSS 7.5
CVE-2025-64126 WRITEUP CRITICAL WRITEUP
Zenitel TCIV-3+ < 9.3.3.0 - Unauthenticated OS Command Injection via IP Address Parameter
An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.
CVSS 10.0