PatchSiren cyber security CVE debrief
CVE-2026-20742 Copeland CVE debrief
CVE-2026-20742 is an authenticated OS command injection in Copeland XWEB Pro that can lead to remote code execution. CISA published the advisory on 2026-02-26 and Copeland provided a fix for affected XWEB Pro versions 1.12.1 and earlier.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
OT and industrial control system administrators, site reliability teams supporting XWEB Pro, security operations, and incident responders responsible for Copeland XWEB deployments.
Technical summary
According to CISA’s advisory ICSA-26-057-10, the issue affects XWEB Pro version 1.12.1 and prior and can be triggered by injecting malicious input into requests sent to the templates route. The result is OS command injection with remote code execution potential for an authenticated attacker. The corpus also lists affected XWEB Pro models including XWEB 300D PRO, XWEB 500D PRO, and XWEB 500B PRO.
Defensive priority
High — the vulnerability can progress from authenticated input handling to remote code execution on an OT-related system, so patching and access review should be prioritized.
Recommended defensive actions
- Update XWEB Pro to the latest Copeland-fixed version using the vendor’s software update page.
- If the device has internet access, use the SYSTEM -- Updates | Network path to update directly from Copeland servers, as described in the advisory.
- Review and restrict who can authenticate to XWEB Pro administrative functions, especially the templates route area implicated in the advisory.
- Monitor logs for abnormal or unexpected requests to administrative/template-related endpoints.
- Apply standard ICS hardening measures such as network segmentation and least-privilege access around affected systems.
Evidence notes
Primary evidence comes from CISA advisory ICSA-26-057-10 and the mirrored CSAF source item. The advisory states that an authenticated attacker can inject malicious input into requests sent to the templates route, causing OS command injection and possible remote code execution. Publication and modification timestamps in the corpus are both 2026-02-26T07:00:00.000Z. The supplied corpus does not mark this CVE as a Known Exploited Vulnerability. Vendor metadata in the prompt is low-confidence and marked for review, so product attribution should be treated cautiously.
Official resources
-
CVE-2026-20742 CVE record
CVE.org
-
CVE-2026-20742 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-057-10 and the CVE record on 2026-02-26. The SSVC timestamp included in the advisory (2026-02-25T07:00:00Z) is an assessment/evaluation time, not the publication date.