CVE-2026-21389

Name of the Vulnerable Software and Affected Versions XWEB Pro versions prior to 1.12.1 MSHTML (affected versions not specified)

Description An OS command injection issue exists in XWEB Pro, allowing a user with network access to execute code remotely by injecting malicious input into the request body sent to the contacts import route. A memory corruption flaw has been actively exploited in MSHTML (Trident) through specially crafted web or HTML content, leading to code execution with the privileges of the current user. This affects global Windows systems, particularly those utilizing legacy Internet Explorer components within applications like Office or embedded web controls.

Recommendations Update XWEB Pro to version 1.12.1 or later. At the moment, there is no information about a newer version that contains a fix for this vulnerability.