VYPR

Xweb

by Xweb

CVEs (15)

  • CVE-2026-25109HigFeb 27, 2026
    risk 0.52cvss 8.0epss 0.02

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route.

  • CVE-2026-20910HigFeb 27, 2026
    risk 0.52cvss 8.0epss 0.01

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code…

  • CVE-2004-1838Mar 22, 2004
    risk 0.03cvss epss 0.04

    Directory traversal vulnerability in xweb 1.0 allows remote attackers to download arbitrary files via a .. (dot dot) in the URL.

  • CVE-2026-3037Feb 27, 2026
    risk 0.00cvss epss 0.02

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is…

  • CVE-2026-22877Feb 27, 2026
    risk 0.00cvss epss 0.01

    An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack.

  • CVE-2026-25037Feb 27, 2026
    risk 0.00cvss epss 0.02

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously crafted LCD state which is later processed during system setup, enabling remote…

  • CVE-2026-20764Feb 27, 2026
    risk 0.00cvss epss 0.02

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input via the device hostname configuration which is later processed during system…

  • CVE-2026-25721Feb 27, 2026
    risk 0.00cvss epss 0.02

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the server username and/or password fields of the restore action in the API…

  • CVE-2026-23702Feb 27, 2026
    risk 0.00cvss epss 0.02

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in…

  • CVE-2026-24695Feb 27, 2026
    risk 0.00cvss epss 0.02

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into OpenSSL argument fields within requests sent to the utility route,…

  • CVE-2026-20902Feb 27, 2026
    risk 0.00cvss epss 0.01

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters…

  • CVE-2026-24689Feb 27, 2026
    risk 0.00cvss epss 0.02

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update apply action.

  • CVE-2026-24517Feb 27, 2026
    risk 0.00cvss epss 0.02

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route.

  • CVE-2026-20742Feb 27, 2026
    risk 0.00cvss epss 0.01

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the templates route.

  • CVE-2026-21389Feb 27, 2026
    risk 0.00cvss epss 0.01

    An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the request body sent to the contacts import route.