PT-2026-22273 · Xweb Pro · Xweb Pro

Amir Zaltzman

+1

·

Published

2026-02-27

·

Updated

2026-03-04

·

CVE-2026-23702

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions XWEB Pro versions prior to 1.12.1
Description A flaw exists that allows a logged-in attacker to execute code on the system. This is possible by submitting crafted input into the username field of the import preconfiguration action via the API V1 route. The affected API endpoint is '/api/V1'. The vulnerable parameter is username.
Recommendations Update to a version newer than 1.12.1.

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-23702

Affected Products

Xweb Pro