CVE-2026-21389

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the request body sent to the contacts import route.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json	Third Party Advisory
https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate	Product
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-27 01:16

Updated : 2026-02-27 23:12

NVD link : CVE-2026-21389

Mitre link : CVE-2026-21389

CVE.ORG link : CVE-2026-21389

JSON object : View

Products Affected

copeland

xweb_300d_pro
xweb_300d_pro_firmware
xweb_500b_pro_firmware
xweb_500b_pro
xweb_500d_pro_firmware
xweb_500d_pro

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-21389", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-02-27T01:16:17.890", "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json", "tags": ["Third Party Advisory"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate", "tags": ["Product"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An OS command injection \nvulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an \nauthenticated attacker to achieve remote code execution on the system by\n injecting malicious input into the request body sent to the contacts \nimport route."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo (OS) existe en XWEB Pro versi\u00f3n 1.12.1 y anteriores, lo que permite a un atacante autenticado lograr la ejecuci\u00f3n remota de c\u00f3digo en el sistema mediante la inyecci\u00f3n de entrada maliciosa en el cuerpo de la solicitud enviado a la ruta de importaci\u00f3n de contactos."}], "lastModified": "2026-02-27T23:12:14.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF93AA67-7ABF-45C8-8376-7A28F7D65464", "versionEndIncluding": "1.12.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "AEA10B9B-531A-4775-B32D-AC743D696126"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "088F312E-06DF-4B90-A478-A6B5A39DE0F0", "versionEndIncluding": "1.12.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A524988E-E22F-4B0F-AEE6-46B3F103989C"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E13AD164-C82A-4D6C-84C0-83EB8B0A611C", "versionEndIncluding": "1.12.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1707F67B-6365-4065-812C-7CC596C6CFF1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}