PatchSiren cyber security CVE debrief
CVE-2026-20902 Copeland CVE debrief
CISA’s 2026-02-26 advisory (ICSA-26-057-10) says XWEB Pro version 1.12.1 and prior contains an OS command injection issue in the map upload workflow. An authenticated attacker can inject malicious input into the map filename field on the parameters route and achieve remote code execution on the system. Copeland provides a fix and recommends updating affected XWEB Pro deployments to the latest version.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Administrators and operators responsible for Copeland XWEB Pro deployments, especially XWEB 300D PRO, XWEB 500D PRO, and XWEB 500B PRO systems. This matters most where authenticated users can reach the management interface or where the device is exposed to broader enterprise or remote-access networks.
Technical summary
The advisory describes a command-injection weakness in the map upload action, specifically in the map filename field on the parameters route. Exploitation requires an authenticated attacker and no user interaction, but successful abuse can lead to remote code execution with high confidentiality, integrity, and availability impact. The supplied CVSS vector reflects network reachability, high attack complexity, and high privileges required: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H.
Defensive priority
High. Patch promptly, with special attention to internet-accessible or remotely administered instances.
Recommended defensive actions
- Update XWEB Pro to the latest vendor-released version using Copeland’s software update path.
- If using direct device updates, verify the target is approved for online update before using SYSTEM → Updates → Network.
- Restrict authenticated access to the XWEB Pro management interface to trusted administrative networks only.
- Review logs and account activity for unusual requests to the parameters route or map upload functions.
- Confirm all deployed instances and versions against the advisory, including XWEB 300D PRO, XWEB 500D PRO, and XWEB 500B PRO.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-057-10, published 2026-02-26 UTC, which states that XWEB Pro version 1.12.1 and prior is vulnerable to OS command injection via the map filename field during the map upload action of the parameters route. The supplied advisory metadata also includes the CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H and points to Copeland’s software update page as the remediation path. No exploitation activity or KEV listing is included in the supplied corpus.
Official resources
-
CVE-2026-20902 CVE record
CVE.org
-
CVE-2026-20902 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Initial public disclosure and advisory publication are both dated 2026-02-26T07:00:00.000Z in the supplied sources.