CVE-2026-20910
8.0 HIGHAn OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote...
Published: 2026-02-27 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 8.0 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
- CWE
- CWE-78
Affected products
| Vendor | Product |
|---|---|
| copeland | xweb_300d_pro_firmware, xweb_500b_pro_firmware, xweb_500d_pro_firmware |
Description
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code execution.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-25109 — An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remo... (8.0 HIGH)
Same CWE
- CVE-2026-22313 — The device has a webserver that exposes a REST API authenticated with a token on the management network (9.1 CRITICAL)
- CVE-2026-44932 — Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a ... (8.8 HIGH)
- CVE-2026-12398 — A command injection vulnerability was found in galaxy_ng (7.5 HIGH)
- CVE-2026-5416 — Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command in... (8.8 HIGH)
- CVE-2026-12161 — Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user ... (8.8 HIGH)