CVE-2026-3037 HIGH

CVE-2026-3037: Copeland XWEB and XWEB Pro OS Command Injection

Vendor Copeland
Product Copeland XWEB 300D PRO
Weakness CWE-78
Published February 27, 2026
Last update February 27, 2026

CVSS base score

8.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is later processed during system setup, leading to remote code execution.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
February 27, 2026 Record updated