← Back

CVE-2026-20902

nvd nist
Published: Feb 27, 2026Modified: Feb 27, 2026

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route.

Affected (3)

Copeland
3 products
Xweb 300d Pro Firmware
Xweb 500d Pro Firmware
Xweb 500b Pro Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Xweb 300d Pro Firmware
Up to 1.12.1
Running on/withPlatform Versions
Copeland
Xweb 300d Pro
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Xweb 500d Pro Firmware
Up to 1.12.1
Running on/withPlatform Versions
Copeland
Xweb 500d Pro
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Xweb 500b Pro Firmware
Up to 1.12.1
Running on/withPlatform Versions
Copeland
Xweb 500b Pro
All versions

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

Source: ics-cert@hq.dhs.gov
Third Party Advisory
Source: ics-cert@hq.dhs.gov
Product
Source: ics-cert@hq.dhs.gov
Third Party AdvisoryUS Government Resource

Timeline

No history available yet.