CVE-2026-20109
Unknown Unknown - Not Provided
Authenticated XSS Vulnerabilities in Cisco Contact Center Web Interface

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: Cisco Systems, Inc.

Description
Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.  These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20109
EUVD
EUVD-2026-3651
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cisco packaged_contact_center_enterprise *
cisco unified_contact_center_enterprise *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves multiple issues in the web-based management interface of Cisco Packaged Contact Center Enterprise and Cisco Unified Contact Center Enterprise. An authenticated remote attacker with valid administrative credentials can perform a cross-site scripting (XSS) attack by injecting malicious code into specific pages of the interface. This happens because the interface does not properly validate user-supplied input, allowing the attacker to execute arbitrary script code or access sensitive browser-based information within the context of the affected interface.

Impact Analysis

If exploited, this vulnerability could allow an attacker with administrative access to execute arbitrary scripts in the context of the web-based management interface. This could lead to unauthorized access to sensitive information displayed in the browser or manipulation of the interface, potentially compromising the security and integrity of the affected system.

Mitigation Strategies

To mitigate this vulnerability, ensure that only trusted administrators have access to the web-based management interface, as exploitation requires valid administrative credentials. Additionally, apply any available patches or updates from Cisco for the affected products. Limit access to the management interface through network controls and monitor for suspicious activity involving the interface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20109. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart