CVE-2026-20910 HIGH

CVE-2026-20910: Copeland XWEB and XWEB Pro OS Command Injection

Vendor Copeland

Product Copeland XWEB 300D PRO

Weakness CWE-78

Published February 27, 2026

Last update June 4, 2026

View on NVD All CVEs

CVSS base score

8.0/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code execution.

Key dates

02Disclosure timeline

February 27, 2026 CVE published

June 4, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-20910

Related vulnerabilities

Identifiers

CVE CVE-2026-20910

CWE CWE-78

CVSS 8.0 / HIGH

Affected versions

Vendor Copeland

Product Copeland XWEB 300D PRO

Affected ≤ 1.12.1

Vendor Copeland

Product Copeland XWEB 500D PRO

Affected ≤ 1.12.1

Vendor Copeland

Product Copeland XWEB 500B PRO

Affected ≤ 1.12.1

CVE-2026-20910: Copeland XWEB and XWEB Pro OS Command Injection

01Description

02Disclosure timeline

03References

04Related CVE