CVE-2026-24663 CRITICAL

CVE-2026-24663: Copeland XWEB and XWEB Pro OS Command Injection

Vendor Copeland

Product Copeland XWEB 300D PRO

Weakness CWE-78

Published February 27, 2026

Last update March 2, 2026

View on NVD All CVEs

CVSS base score

9.0/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to the libraries installation route and injecting malicious input into the request body.

Key dates

02Disclosure timeline

February 27, 2026 CVE published

March 2, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24663 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2026-24663

CWE CWE-78

CVSS 9.0 / CRITICAL

Affected versions

Vendor Copeland

Product Copeland XWEB 300D PRO

Affected ≤ 1.12.1

Vendor Copeland

Product Copeland XWEB 500D PRO

Affected ≤ 1.12.1

Vendor Copeland

Product Copeland XWEB 500B PRO

Affected ≤ 1.12.1

CVE-2026-24663: Copeland XWEB and XWEB Pro OS Command Injection

01Description

02Disclosure timeline

03References

04Related CVE