Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
XWEB Pro Can Execute Malicious Commands Remotely
CVE-2026-24663
Summary
An attacker can send a specially crafted request to XWEB Pro, potentially allowing them to execute malicious commands on the system without needing a password. This could lead to unauthorized access and data theft. Update to the latest version of XWEB Pro to fix this vulnerability.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| copeland | xweb_500b_pro_firmware | <= 1.12.1 | – |
| copeland | xweb_300d_pro_firmware | <= 1.12.1 | – |
| copeland | xweb_500d_pro_firmware | <= 1.12.1 | – |
Original title
An OS command injection vulnerability exists in XWEB Pro version 1.12.1
and prior, enabling an unauthenticated attacker to achieve remote code
execution on the system by sending a crafted request...
Original description
An OS command injection vulnerability exists in XWEB Pro version 1.12.1
and prior, enabling an unauthenticated attacker to achieve remote code
execution on the system by sending a crafted request to the libraries
installation route and injecting malicious input into the request body.
and prior, enabling an unauthenticated attacker to achieve remote code
execution on the system by sending a crafted request to the libraries
installation route and injecting malicious input into the request body.
nvd CVSS3.1
9.0
Vulnerability type
CWE-78
OS Command Injection
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026