Description
Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. 

These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.
Published: 2026-01-21
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting in Cisco Unified Contact Center Enterprise web interface
Action: Apply patch
AI Analysis

Impact

Multiple vulnerabilities exist in the web-based management interface of Cisco Packaged Contact Center Enterprise and Cisco Unified Contact Center Enterprise because the interface fails to validate user-supplied input. An authenticated, remote attacker with administrative credentials can inject malicious code into specific pages and execute arbitrary scripts in the context of the interface, or access sensitive browser-based information.

Affected Systems

Cisco Packaged Contact Center Enterprise and Cisco Unified Contact Center Enterprise. No specific version information is provided, indicating that all product releases may be affected.

Risk and Exploitability

The CVSS score of 4.8 indicates low severity, while the EPSS score of less than 1% suggests a very low exploitation probability. The vulnerability is not listed in CISA's KEV catalog, further supporting its low likelihood of being actively exploited. An attacker must first obtain valid administrative credentials and then access the web management interface, making the primary attack vector a remote web-based management session with privileged accounts.

Generated by OpenCVE AI on April 18, 2026 at 04:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco CCE patch or upgrade to a release that addresses the XSS vulnerability.
  • Restrict administrative access to the web interface to trusted IP addresses or secure networks.
  • Monitor web interface traffic for scripting attempts and enforce stricter input validation or sanitization.

Generated by OpenCVE AI on April 18, 2026 at 04:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco packaged Contact Center Enterprise
Cisco unified Contact Center Enterprise
Vendors & Products Cisco
Cisco packaged Contact Center Enterprise
Cisco unified Contact Center Enterprise

Wed, 21 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.&nbsp; These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.
Title Cisco Packaged Contact Center Enterprise and Cisco Unified Contact Center Enterprise Cross-Site Scripting Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Cisco Packaged Contact Center Enterprise Unified Contact Center Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-01-21T16:46:11.154Z

Reserved: 2025-10-08T11:59:15.374Z

Link: CVE-2026-20109

cve-icon Vulnrichment

Updated: 2026-01-21T16:45:42.982Z

cve-icon NVD

Status : Deferred

Published: 2026-01-21T17:16:08.723

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-20109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses