CVE-2026-20902

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json	Third Party Advisory
https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate	Product
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-27 01:16

Updated : 2026-02-27 23:13

NVD link : CVE-2026-20902

Mitre link : CVE-2026-20902

CVE.ORG link : CVE-2026-20902

JSON object : View

Products Affected

copeland

xweb_300d_pro
xweb_300d_pro_firmware
xweb_500b_pro_firmware
xweb_500b_pro
xweb_500d_pro_firmware
xweb_500d_pro

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-20902", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-02-27T01:16:17.520", "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json", "tags": ["Third Party Advisory"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate", "tags": ["Product"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An OS command injection \n\n\n\nvulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an \nauthenticated attacker to achieve remote code execution on the system by\n injecting malicious input into the map filename field during the map \nupload action of the parameters route."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo (OS) existe en XWEB Pro versi\u00f3n 1.12.1 y anteriores, lo que permite a un atacante autenticado lograr la ejecuci\u00f3n remota de c\u00f3digo en el sistema al inyectar entrada maliciosa en el campo de nombre de archivo del mapa durante la acci\u00f3n de carga de mapas de la ruta de par\u00e1metros."}], "lastModified": "2026-02-27T23:13:13.603", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF93AA67-7ABF-45C8-8376-7A28F7D65464", "versionEndIncluding": "1.12.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "AEA10B9B-531A-4775-B32D-AC743D696126"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "088F312E-06DF-4B90-A478-A6B5A39DE0F0", "versionEndIncluding": "1.12.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A524988E-E22F-4B0F-AEE6-46B3F103989C"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E13AD164-C82A-4D6C-84C0-83EB8B0A611C", "versionEndIncluding": "1.12.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1707F67B-6365-4065-812C-7CC596C6CFF1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}