Description
An OS command injection



vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the map filename field during the map
upload action of the parameters route.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via OS Command Injection
Action: Immediate Patch
AI Analysis

Impact

An authenticated attacker can inject malicious data into the map filename field during a map upload action, allowing execution of arbitrary operating‑system commands on a Copeland XWEB Pro device. The vulnerability is classified as CWE‑78 and enables the attacker to gain remote code execution, thereby compromising the confidentiality, integrity, and availability of the device and any network it controls.

Affected Systems

The affected products are Copeland XWEB 300D Pro, XWEB 500B Pro, and XWEB 500D Pro. Firmware versions 1.12.1 and earlier are vulnerable. Users should verify their firmware version against the list of vulnerable models provided by Copeland.

Risk and Exploitability

The CVSS score of 8.0 indicates high severity, while the EPSS score of less than 1% suggests a very low but nonzero exploitation probability. Attack requires authentication and the ability to trigger the upload path, reducing the likelihood of remote exploitation by unauthenticated actors but still posing significant risk if privileged credentials are compromised. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 18, 2026 at 10:19 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Update the XWEB Pro firmware the latest version using the Copeland software update page or the NETWORK > System > Updates menu.
  • If an immediate firmware upgrade cannot be performed, enforce strict authentication by changing default passwords, limiting administrative accounts, and disabling remote management for untrusted networks.
  • Configure the device or network firewall to block unauthenticated or suspicious map upload requests and monitor system logs for anomalous activity.

Generated by OpenCVE AI on April 18, 2026 at 10:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-03T01:25:09.389Z

Reserved: 2026-02-05T16:55:52.415Z

Link: CVE-2026-20902

cve-icon Vulnrichment

Updated: 2026-03-03T01:25:03.967Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T01:16:17.520

Modified: 2026-02-27T23:13:13.603

Link: CVE-2026-20902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses