PT-2026-22250 · Xweb Pro · Xweb Pro

Amir Zaltzman

Published

2026-02-27

Updated

2026-03-04

CVE-2026-20902

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XWEB Pro versions prior to 1.12.1

Description An operating system command injection issue exists that allows an authenticated attacker to execute code remotely. This is achieved by injecting malicious input into the map filename field during the map upload action of the parameters route.

Recommendations Update to a version of XWEB Pro later than 1.12.1.

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-20902

Affected Products

Xweb Pro

PT-2026-22250 · Xweb Pro · Xweb Pro

CVE-2026-20902

Weakness Enumeration

Related Identifiers

Affected Products

References · 10