CVE-2026-20742

Published: Feb 27, 2026Modified: Feb 27, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the templates route.

Affected (3)

Products: Copeland: Xweb 300d Pro Firmware, Xweb 500d Pro Firmware, Xweb 500b Pro Firmware

Copeland

3 products

Xweb 300d Pro Firmware

Xweb 500d Pro Firmware

Xweb 500b Pro Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Copeland Xweb 300d Pro Firmware	Up to 1.12.1

Running on/with	Platform Versions
Copeland Xweb 300d Pro	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Copeland Xweb 500d Pro Firmware	Up to 1.12.1

Running on/with	Platform Versions
Copeland Xweb 500d Pro	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Copeland Xweb 500b Pro Firmware	Up to 1.12.1

Running on/with	Platform Versions
Copeland Xweb 500b Pro	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json

Source: ics-cert@hq.dhs.gov

Third Party Advisory

https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate

Source: ics-cert@hq.dhs.gov

Product

https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.