Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
XWEB Pro: Unsecured Map Upload Allows Remote Code Execution
CVE-2026-20902
Summary
An attacker can exploit a weakness in XWEB Pro version 1.12.1 and earlier to execute unauthorized commands on the system. This could happen if a user with an account uploads a malicious file with a specially crafted name. To protect your system, update to the latest version of XWEB Pro or remove the vulnerable version from your network.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| copeland | xweb_300d_pro_firmware | <= 1.12.1 | – |
| copeland | xweb_500d_pro_firmware | <= 1.12.1 | – |
| copeland | xweb_500b_pro_firmware | <= 1.12.1 | – |
Original title
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious inp...
Original description
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the map filename field during the map
upload action of the parameters route.
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the map filename field during the map
upload action of the parameters route.
nvd CVSS3.1
8.8
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05... Third Party Advisory
- https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate Product
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10 Third Party Advisory US Government Resource
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026