CVE-2026-24663
CRITICAL WAF: High
CVSS 9.8
Published: 2026-02-27
CWE-78
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to the libraries installation route and injecting malicious input into the request body.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| copeland | xweb_500b_pro_firmware | up to 1.12.1 |
| copeland | xweb_300d_pro_firmware | up to 1.12.1 |
| copeland | xweb_500d_pro_firmware | up to 1.12.1 |
References
- github.com (Third Party Advisory)
- webapps.copeland.com (Product)
- www.cisa.gov (Third Party Advisory, US Government Resource)