Description
Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. 

These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.
Published: 2026-01-21
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Script execution on the web management interface
Action: Assess Impact
AI Analysis

Impact

CVE-2026-20055 describes multiple cross‑site scripting weaknesses in the web‑based management interface of Cisco Packaged Contact Center Enterprise and Cisco Unified Contact Center Enterprise. An attacker who has authenticated administrative credentials can inject malicious content into selected pages of the interface. If successful, the injected code executes in the victim’s browser session, potentially allowing the attacker to run arbitrary scripts or read sensitive, browser‑specific data held by the user. The impact is confined to the context of the web interface and depends on the privileges of the abused account.

Affected Systems

Affected systems are Cisco’s Packaged Contact Center Enterprise and Cisco Unified Contact Center Enterprise. The advisory does not list specific affected versions, so any installation of these products that is not at the latest maintenance level may be at risk.

Risk and Exploitability

The CVSS score of 4.8 suggests moderate risk, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not part of the KEV catalog. An attacker must possess valid administrative credentials, implying that only users with elevated rights can exploit the flaw. Exploitation would allow script execution within the authenticated session and could facilitate data disclosure or session hijack if the attacker succeeds.

Generated by OpenCVE AI on April 18, 2026 at 04:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the affected devices to the latest firmware or software release that contains the XSS fix.
  • Restrict web‑interface access to a trusted network or through a VPN, and enforce the principle of least privilege for all administrative accounts.
  • Deploy a web‑application firewall or use input‑validation filters to detect and block common XSS payloads, and monitor logs for anomalous script execution attempts.

Generated by OpenCVE AI on April 18, 2026 at 04:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco packaged Contact Center Enterprise
Cisco unified Contact Center Enterprise
Vendors & Products Cisco
Cisco packaged Contact Center Enterprise
Cisco unified Contact Center Enterprise

Wed, 21 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.&nbsp; These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.
Title Cisco Packaged Contact Center Enterprise & Cisco Unified Contact Center Enterprise Cross-Site Scripting Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Cisco Packaged Contact Center Enterprise Unified Contact Center Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-01-21T16:50:04.517Z

Reserved: 2025-10-08T11:59:15.355Z

Link: CVE-2026-20055

cve-icon Vulnrichment

Updated: 2026-01-21T16:49:43.255Z

cve-icon NVD

Status : Deferred

Published: 2026-01-21T17:16:08.253

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-20055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses