CVE-2026-25195
MEDIUM WAF: High
CVSS 6.6
Published: 2026-02-27
CWE-78
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted firmware update file via the firmware update route.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| copeland | xweb_300d_pro_firmware | up to 1.12.1 |
| copeland | xweb_500b_pro_firmware | up to 1.12.1 |
| copeland | xweb_500d_pro_firmware | up to 1.12.1 |
References
- github.com (Third Party Advisory)
- webapps.copeland.com (Product)
- www.cisa.gov (Third Party Advisory, US Government Resource)