Xweb
Products
1- 15 CVEs
Recent CVEs
15| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-25109 | Hig | 0.52 | 8.0 | 0.02 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route. | ||
| CVE-2026-20910 | Hig | 0.52 | 8.0 | 0.01 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code… | ||
| CVE-2004-1838 | 0.03 | — | 0.04 | Mar 22, 2004 | Directory traversal vulnerability in xweb 1.0 allows remote attackers to download arbitrary files via a .. (dot dot) in the URL. | |||
| CVE-2026-3037 | 0.00 | — | 0.02 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is… | |||
| CVE-2026-22877 | 0.00 | — | 0.01 | Feb 27, 2026 | An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack. | |||
| CVE-2026-25037 | 0.00 | — | 0.02 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously crafted LCD state which is later processed during system setup, enabling remote… | |||
| CVE-2026-20764 | 0.00 | — | 0.02 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input via the device hostname configuration which is later processed during system… | |||
| CVE-2026-25721 | 0.00 | — | 0.02 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the server username and/or password fields of the restore action in the API… | |||
| CVE-2026-23702 | 0.00 | — | 0.02 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in… | |||
| CVE-2026-24695 | 0.00 | — | 0.02 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into OpenSSL argument fields within requests sent to the utility route,… | |||
| CVE-2026-20902 | 0.00 | — | 0.01 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters… | |||
| CVE-2026-24689 | 0.00 | — | 0.02 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update apply action. | |||
| CVE-2026-24517 | 0.00 | — | 0.02 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route. | |||
| CVE-2026-20742 | 0.00 | — | 0.01 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the templates route. | |||
| CVE-2026-21389 | 0.00 | — | 0.01 | Feb 27, 2026 | An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the request body sent to the contacts import route. |
- risk 0.52cvss 8.0epss 0.02
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route.
- risk 0.52cvss 8.0epss 0.01
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code…
- CVE-2004-1838Mar 22, 2004risk 0.03cvss —epss 0.04
Directory traversal vulnerability in xweb 1.0 allows remote attackers to download arbitrary files via a .. (dot dot) in the URL.
- CVE-2026-3037Feb 27, 2026risk 0.00cvss —epss 0.02
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is…
- CVE-2026-22877Feb 27, 2026risk 0.00cvss —epss 0.01
An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack.
- CVE-2026-25037Feb 27, 2026risk 0.00cvss —epss 0.02
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously crafted LCD state which is later processed during system setup, enabling remote…
- CVE-2026-20764Feb 27, 2026risk 0.00cvss —epss 0.02
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input via the device hostname configuration which is later processed during system…
- CVE-2026-25721Feb 27, 2026risk 0.00cvss —epss 0.02
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the server username and/or password fields of the restore action in the API…
- CVE-2026-23702Feb 27, 2026risk 0.00cvss —epss 0.02
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in…
- CVE-2026-24695Feb 27, 2026risk 0.00cvss —epss 0.02
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into OpenSSL argument fields within requests sent to the utility route,…
- CVE-2026-20902Feb 27, 2026risk 0.00cvss —epss 0.01
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters…
- CVE-2026-24689Feb 27, 2026risk 0.00cvss —epss 0.02
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update apply action.
- CVE-2026-24517Feb 27, 2026risk 0.00cvss —epss 0.02
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route.
- CVE-2026-20742Feb 27, 2026risk 0.00cvss —epss 0.01
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the templates route.
- CVE-2026-21389Feb 27, 2026risk 0.00cvss —epss 0.01
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the request body sent to the contacts import route.