CVE-2026-24663
Received
Received - Intake
OS Command Injection in XWEB Pro Allows Remote Code Execution
Publication date: 2026-02-27
Last updated on: 2026-03-09
Assigner: ICS-CERT
Description
Description
An OS command injection vulnerability exists in XWEB Pro version 1.12.1
and prior, enabling an unauthenticated attacker to achieve remote code
execution on the system by sending a crafted request to the libraries
installation route and injecting malicious input into the request body.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| copeland | xweb_500b_pro_firmware | to 1.12.1 (inc) |
| copeland | xweb_300d_pro_firmware | to 1.12.1 (inc) |
| copeland | xweb_500d_pro_firmware | to 1.12.1 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
