CVE-2026-20902

HIGH

XWEB Pro <=1.12.1 - Command Injection

Title source: llm

Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route.

References (3)

[Third Party Advisory] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json

View Writeup ZIP pw:eip

[Various Sources] https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10

Scores

CVSS v3 8.0

EPSS 0.0026

EPSS Percentile 49.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (3)

copeland/xweb_300d_pro_firmware < 1.12.1

copeland/xweb_500d_pro_firmware < 1.12.1

copeland/xweb_500b_pro_firmware < 1.12.1

Timeline

Published Feb 27, 2026

Tracked Since Feb 27, 2026