CVE-2026-20902
published 2026-02-27CVE-2026-20902: An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.49%
70.9th percentile
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the map filename field during the map
upload action of the parameters route.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| copeland | copeland_xweb_300d_pro | <= 1.12.1 | — |
| copeland | copeland_xweb_500b_pro | <= 1.12.1 | — |
| copeland | copeland_xweb_500d_pro | <= 1.12.1 | — |
| copeland | xweb_300d_pro_firmware | <= 1.12.1 | — |
| copeland | xweb_500b_pro_firmware | <= 1.12.1 | — |
| copeland | xweb_500d_pro_firmware | <= 1.12.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Copeland XWEB and XWEB Pro
cisa_ics·2026-02-26·CVSS 8.0
[HIGH] Copeland XWEB and XWEB Pro
ICS Advisory
##
Copeland XWEB and XWEB Pro
Release DateFebruary 26, 2026
Alert CodeICSA-26-057-10
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, cause a denial-of-service condition, cause memory corruption, and execute arbitrary code.
The following versions of Copeland XWEB and XWEB Pro are affected:
- XWEB 300D PRO <=1.12.1 (CVE-2026-25085, CVE-2026-21718, CVE-2026-24663, CVE-2026-21389, CVE-2026-25111, CVE-2026-20742, CVE-2026-24517, CVE-2026-25195, CVE-2026-20910, CVE-2026-24689, CVE-2026-25109, CVE-2026-20902, CVE-2026-24695, CVE-2026-25105, CVE-2026-24452, CVE-2026-23702, CVE-2026-25721, CVE-2026
GHSA
GHSA-xx68-gfhf-pwvh: An OS command injection
vulnerability exists in XWEB Pro version 1
ghsa_unreviewed·2026-02-27
CVE-2026-20902 [HIGH] CWE-78 GHSA-xx68-gfhf-pwvh: An OS command injection
vulnerability exists in XWEB Pro version 1
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the map filename field during the map
upload action of the parameters route.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-27
Published