CVE-2026-20902

High

Published: 27 February 2026

Published

27 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0028 51.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of…

the parameters route.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation of malicious inputs in the map filename field during upload.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability through timely flaw remediation via vendor patches for affected XWEB Pro versions.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on filename inputs to block malicious payloads that enable command injection in the parameters route.

Security SummaryAI

CVE-2026-20902 is an OS command injection vulnerability (CWE-78) present in XWEB Pro version 1.12.1 and prior versions. The issue allows malicious input to be injected into the map filename field during the map upload action within the parameters route, potentially leading to remote code execution on the affected system. Published on 2026-02-27, it carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

An authenticated attacker with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N), though it requires high attack complexity (AC:H) and involves no user interaction (UI:N). Exploitation changes the scope (S:C) and enables high-impact remote code execution, compromising confidentiality, integrity, and availability (C:H/I:H/A:H) on the target system.

CISA's ICS Advisory ICSA-26-057-10 and the associated CSAF document detail the vulnerability, while the vendor's system software update page at webapps.copeland.com provides relevant mitigation information, including patches for affected XWEB Pro versions.

Details

CWE(s): CWE-78

Affected Products

copeland

xweb 300d pro firmware

≤ 1.12.1

copeland

xweb 500d pro firmware

≤ 1.12.1

copeland

xweb 500b pro firmware

≤ 1.12.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

OS command injection vulnerability in a web application's map upload feature (parameters route) allows remote code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json
Third Party Advisory · ics-cert@hq.dhs.gov
https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate
Product · ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10
Third Party Advisory, US Government Resource · ics-cert@hq.dhs.gov