CVE-2026-25037 HIGH

CVE-2026-25037: Copeland XWEB and XWEB Pro OS Command Injection

Vendor Copeland

Product Copeland XWEB 300D PRO

Weakness CWE-78

Published February 27, 2026

Last update March 2, 2026

View on NVD All CVEs

CVSS base score

8.0/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously crafted LCD state which is later processed during system setup, enabling remote code execution.

Key dates

02Disclosure timeline

February 27, 2026 CVE published

March 2, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25037

Related vulnerabilities

Identifiers

CVE CVE-2026-25037

CWE CWE-78

CVSS 8.0 / HIGH

Affected versions

Vendor Copeland

Product Copeland XWEB 300D PRO

Affected ≤ 1.12.1

Vendor Copeland

Product Copeland XWEB 500D PRO

Affected ≤ 1.12.1

Vendor Copeland

Product Copeland XWEB 500B PRO

Affected ≤ 1.12.1

CVE-2026-25037: Copeland XWEB and XWEB Pro OS Command Injection

01Description

02Disclosure timeline

03References

04Related CVE