CVE-2026-20087
Stored XSS in Cisco IMC Web Interface Enables Remote Script Execution
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | imc | * |
| cisco | imc | From 4.3(6.260017) (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-20087 is a stored cross-site scripting (XSS) vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC). It allows an authenticated remote attacker with administrative privileges to inject malicious scripts into the interface. These scripts then execute in the browsers of other users who access the interface.
The root cause of this vulnerability is insufficient validation of user input. An attacker can exploit this by persuading a user to click a specially crafted link, which triggers the execution of arbitrary script code in the victim's browser or allows access to sensitive browser-based information.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute arbitrary scripts in the browsers of users accessing the Cisco IMC web interface. This can lead to unauthorized actions being performed on behalf of the user or exposure of sensitive information stored or accessible in the browser.
Since the attacker must have administrative privileges and the victim must interact with a crafted link, the risk involves targeted attacks within environments where Cisco IMC is used. Successful exploitation could compromise confidentiality and integrity of browser-based data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored cross-site scripting (XSS) flaw in the Cisco IMC web-based management interface that requires an authenticated attacker with administrative privileges to exploit. Detection involves identifying if your Cisco IMC interface is running a vulnerable version and monitoring for suspicious script injections or unusual behavior in the web interface.
Since exploitation requires authentication and administrative access, network scanning alone may not detect it. Instead, detection should focus on verifying the software version of Cisco IMC against known fixed releases.
Suggested commands or steps include checking the Cisco IMC software version via the management interface or CLI to confirm if it is older than the fixed versions (e.g., Cisco IMC 4.3(6.260017) or later). For example, you can log into the IMC interface and check the version information displayed or use Cisco Host Upgrade Utility (HUU) tools to query the installed software version.
There are no specific commands provided in the resources for detecting malicious script injections or scanning for this XSS vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the Cisco IMC software to a fixed release version that addresses CVE-2026-20087.
- Upgrade Cisco IMC to version 4.3(6.260017) or later for UCS C-Series M6 Rack Servers.
- Upgrade Cisco NFVIS to version 4.18.3 or later for 5000 Series ENCS.
- Use Cisco Host Upgrade Utility (HUU) to perform direct IMC software upgrades on appliances based on UCS C-Series Servers.
- Apply specific firmware updates and patches provided for other affected appliances such as Cisco Telemetry Broker Appliances, IEC6400 Edge Compute Appliances, and Secure Endpoint Private Cloud Appliances.
No workarounds are available, so timely application of these software updates is critical to mitigate the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker with administrative privileges to execute arbitrary scripts in the browsers of other users, potentially leading to unauthorized access to sensitive browser-based information.
Such unauthorized access to sensitive information could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access or disclosure.
However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these regulations.