XWEB Pro: Malicious Input Can Run System Commands

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.8

XWEB Pro: Malicious Input Can Run System Commands

CVE-2026-20764

Summary

XWEB Pro versions 1.12.1 and earlier are at risk if an attacker, who has already logged in, can trick the system into running malicious commands by submitting fake device hostnames. This could allow the attacker to take control of the system. Update to the latest version to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
copeland	xweb_300d_pro_firmware	<= 1.12.1	–
copeland	xweb_500d_pro_firmware	<= 1.12.1	–
copeland	xweb_500b_pro_firmware	<= 1.12.1	–

Original title

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input ...

Original description

An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
providing malicious input via the device hostname configuration which
is later processed during system setup, resulting in remote code
execution.

nvd CVSS3.1 8.8

Vulnerability type

CWE-78 OS Command Injection

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05... Third Party Advisory
https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate Product
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10 Third Party Advisory US Government Resource

Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026