Description
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the request body sent to the contacts
import route.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Update Patch
AI Analysis

Impact

The vulnerability is an OS command injection flaw that allows an authenticated attacker to inject arbitrary commands into the request body sent to the contacts import route, thereby achieving remote code execution on the affected device. This can compromise the confidentiality, integrity, and availability of the device and any connected systems. The weakness is identified as CWE‑78.

Affected Systems

The flaw affects Copeland XWEB 300D PRO, Copeland XWEB 500B PRO, and Copeland XWEB 500D PRO devices running firmware version 1.12.1 or earlier. The affected firmware is listed as copeland:xweb_300d_pro_firmware, copeland:xweb_500b_pro_firmware, and copeland:xweb_500d_pro_firmware.

Risk and Exploitability

The CVSS score of 8 indicates high severity, while the EPSS score of less than 1 % suggests a low probability of exploitation in the general population. The vulnerability is not listed in the CISA KEV catalog. A likely attack path involves an attacker who has legitimate credentials to the device, sending a crafted request to the contacts import endpoint to execute shell commands. Successful exploitation would give the attacker full control over the device.

Generated by OpenCVE AI on April 16, 2026 at 15:44 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Update the XWEB Pro firmware to the latest version via Copeland’s software update page or the SYSTEM → Updates menu on the device.
  • Revoke any compromised accounts and enforce strong, unique passwords for user authentication to limit the possibility of an attacker gaining credentials.
  • Restrict internet access to the XWEB Pro by placing it behind a firewall or disabling external connectivity, ensuring only local management traffic is allowed.
  • If the contacts import feature is not required, disable or remove it to eliminate the attack vector.

Generated by OpenCVE AI on April 16, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the request body sent to the contacts import route.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-02T18:47:21.796Z

Reserved: 2026-02-05T16:55:52.336Z

Link: CVE-2026-21389

cve-icon Vulnrichment

Updated: 2026-03-02T18:47:18.862Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T01:16:17.890

Modified: 2026-02-27T23:12:14.313

Link: CVE-2026-21389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses