Description
A vulnerability in Cisco Webex could have allowed an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. Cisco has addressed this vulnerability, and no customer action is needed.

This vulnerability was due to improper filtering of user-supplied input. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to conduct an XSS attack against the targeted user.
Published: 2026-03-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that allows an attacker to run malicious code in a victim’s browser
Action: No action required
AI Analysis

Impact

A flaw in Cisco Webex’s input filtering permits an attacker to embed malicious JavaScript in a link. When a user opens the link, the script executes within the victim’s browser context, potentially stealing session data, defacing the interface, or compromising the client’s security. This vulnerability is a clear example of improper input validation, as indicated by its association with CWE‑79.

Affected Systems

The vulnerability applies to Cisco Webex Meetings. No specific version range is provided, so any deployment of Webex Meetings could be affected until the vendor’s fix is applied.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% shows a very low likelihood of real‑world exploitation. The vulnerability is not listed in CISA’s KEV catalog. An unauthenticated attacker would need to persuade a user to click a malicious link; the attack vector is therefore social engineering rather than network intrusion.

Generated by OpenCVE AI on April 17, 2026 at 13:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco Webex Meetings release that contains the XSS fix, or ensure the update is scheduled for deployment as soon as possible.
  • If a custom or third‑party component is used to render Webex content, verify that all user‑supplied data is correctly escaped or sanitized before rendering in the browser.
  • Deploy a strict content‑security‑policy in browsers or reverse proxies to disallow inline script execution, thereby reducing the impact of any remaining injection flaws.

Generated by OpenCVE AI on April 17, 2026 at 13:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Title Remote Cross‑Site Scripting via Improper Input Filtering in Cisco Webex Meetings

Mon, 09 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Cisco webex
CPEs cpe:2.3:a:cisco:webex:-:*:*:*:*:*:*:*
Vendors & Products Cisco webex

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco webex Meetings
Vendors & Products Cisco
Cisco webex Meetings

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in Cisco Webex could have allowed an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. Cisco has addressed this vulnerability, and no customer action is needed. This vulnerability was due to improper filtering of user-supplied input. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to conduct an XSS attack against the targeted user.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Cisco Webex Webex Meetings
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T20:52:26.015Z

Reserved: 2025-10-08T11:59:15.385Z

Link: CVE-2026-20149

cve-icon Vulnrichment

Updated: 2026-03-04T20:52:22.553Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T18:16:27.427

Modified: 2026-03-09T17:52:37.567

Link: CVE-2026-20149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses