CVE-2026-20090
Stored XSS in Cisco IMC Web Interface Allows Script Execution
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | imc | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the web-based management interface of Cisco IMC. It allows an authenticated remote attacker who already has administrative privileges to perform a stored Cross-Site Scripting (XSS) attack against users of the interface.
The root cause is insufficient validation of user input. An attacker can exploit this by convincing a user to click on a specially crafted link, which then executes arbitrary script code in the user's browser or accesses sensitive browser-based information.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute arbitrary scripts in the browser of a targeted user, potentially leading to unauthorized access to sensitive information or manipulation of the web interface.
Since the attacker needs administrative privileges and user interaction (clicking a crafted link), the risk involves targeted attacks that could compromise the confidentiality and integrity of data accessible through the interface.
What immediate steps should I take to mitigate this vulnerability?
This vulnerability requires an authenticated attacker with administrative privileges to exploit the stored XSS issue in the Cisco IMC web-based management interface.
Immediate mitigation steps include limiting administrative access to trusted users only and educating users to avoid clicking on suspicious or untrusted links while using the interface.
Additionally, monitoring for updates or patches from Cisco to address this vulnerability is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker with administrative privileges to conduct a stored cross-site scripting (XSS) attack, potentially leading to the execution of arbitrary script code in the browser of a targeted user or access to sensitive browser-based information.
Such unauthorized access to sensitive information and the potential compromise of user sessions could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.
However, specific impacts on compliance depend on the context of use, the nature of the data handled by the affected interface, and the implementation of additional security controls.