CVE-2026-24695

EUVD-2026-8953
An OS command injection 




vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an 
authenticated attacker to achieve remote code execution on the system by
 injecting malicious input into OpenSSL argument fields within requests 
sent to the utility route, leading to remote code execution.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8 HIGH
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
copelandxweb_500b_pro_firmware
𝑥
≤ 1.12.1
copelandxweb_300d_pro_firmware
𝑥
≤ 1.12.1
copelandxweb_500d_pro_firmware
𝑥
≤ 1.12.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json
https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10