Copeland CVEs & Vulnerabilities

15 CVEs affecting Copeland products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

xweb 500b pro 15xweb 500b pro firmware 15xweb 500d pro firmware 15xweb 500d pro 15xweb 300d pro firmware 15xweb 300d pro 15
CVE-2026-3037HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is later processed during system setup, leading to remote code execution.

27 Feb 2026
8.8
CVSS
CVE-2026-25721HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the server username and/or password fields of the restore action in the API V1 route.

27 Feb 2026
8.8
CVSS
CVE-2026-25196HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the Wi-Fi SSID and/or password fields can lead to remote code execution when the configuration is processed.

27 Feb 2026
8.8
CVSS
CVE-2026-25105HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into parameters of the Modbus command tool in the debug route.

27 Feb 2026
8.8
CVSS
CVE-2026-25037HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously crafted LCD state which is later processed during system setup, enabling remote code execution.

27 Feb 2026
8.8
CVSS
CVE-2026-24452HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted template file to the devices route.

27 Feb 2026
8.8
CVSS
CVE-2026-23702HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in the API V1 route.

27 Feb 2026
8.8
CVSS
CVE-2026-22877CRITICAL

An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack.

27 Feb 2026
9.1
CVSS
CVE-2026-20797CRITICAL

A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corruption and a termination of the program.

27 Feb 2026
9.8
CVSS
CVE-2026-20764HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input via the device hostname configuration which is later processed during system setup, resulting in remote code execution.

27 Feb 2026
8.8
CVSS
CVE-2026-21718CRITICAL

An authentication bypass vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, enabling any attackers to bypass the authentication requirement and achieve pre-authenticated code execution on the system.

27 Feb 2026
9.8
CVSS
CVE-2026-21389HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the request body sent to the contacts import route.

27 Feb 2026
8.8
CVSS
CVE-2026-20910HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update update action to achieve remote code execution.

27 Feb 2026
8.8
CVSS
CVE-2026-20902HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route.

27 Feb 2026
8.8
CVSS
CVE-2026-20742HIGH

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the templates route.

27 Feb 2026
8.8
CVSS
← PrevPage 1 / 1Next →