CVE-2026-24452

CVE-2026-24452 is an OS command injection vulnerability (CWE-78) affecting XWEB Pro version 1.12.1 and prior versions. The flaw resides in the devices route, where an attacker can supply a crafted template file to trigger command injection. Published on 2026-02-27, it carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity with network accessibility but requiring high privileges and complex preconditions.

An authenticated attacker with high privileges can exploit this vulnerability remotely by submitting a malicious template file via the devices route, leading to arbitrary OS command execution and full remote code execution (RCE) on the affected system. The scoped impact (S:C) amplifies the consequences, potentially allowing complete compromise of confidentiality, integrity, and availability.

CISA's ICS Advisory ICSA-26-057-10, detailed in the associated CSAF JSON file on GitHub, documents the vulnerability, while Copeland's Dixell software update page provides relevant patches or updates for mitigation. Security practitioners should consult these resources for specific remediation steps, such as upgrading to a patched version of XWEB Pro.