Description
An OS command injection

vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into requests sent to the templates route.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw exists in the templates route of Copeland XWEB Pro devices. An authenticated attacker who can send requests to this endpoint can inject arbitrary shell commands, which the firmware will execute with system privileges. The vulnerability is a classic instance of CWE‑78 and allows the attacker to alter the confidentiality, integrity, and availability of the affected system by running any code they choose.

Affected Systems

Affected models include Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO. All firmware builds 1.12.1 and earlier are susceptible to this issue.

Risk and Exploitability

The CVSS score of 8.0 marks this as a high‑severity flaw, and although the EPSS score is below 1%, indicating a low probability of exploitation at this time, the availability of an in‑product patch and its presence in the CISA advisory imply that an attacker could still successfully exploit it. The attack requires authentication and the ability to reach the templates route; thus, threat practitioners should treat it as a high‑impact vulnerability but maintain ongoing vigilance as exploitation techniques evolve.

Generated by OpenCVE AI on April 17, 2026 at 14:07 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Apply the vendor’s latest XWEB Pro firmware update via the Copeland software‑update page or the Network menu; this patch removes the command‑injection flaw.
  • Restrict external access to the XWEB Pro device, limiting the templates route to trusted internal networks or disabling remote update features where possible.
  • Configure firewall rules or network segmentation to block unauthenticated or unauthorized traffic from reaching the affected endpoint, thereby reducing the attack surface.

Generated by OpenCVE AI on April 17, 2026 at 14:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the templates route.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-02T18:41:51.393Z

Reserved: 2026-02-05T16:55:52.357Z

Link: CVE-2026-20742

cve-icon Vulnrichment

Updated: 2026-03-02T18:41:39.816Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T01:16:17.317

Modified: 2026-02-27T23:13:46.087

Link: CVE-2026-20742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses