CVE-2026-20172 - Vulnerability Details

- Cisco Enterprise Chat and Email Lite Agent File Upload Vulnerability

Description

A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent.

This vulnerability is due to inadequate validation of file contents during file upload operations. An attacker could exploit this vulnerability by uploading a file that contains malicious scripts or HTML code, which the application could make available to other users to access. A successful exploit could allow the attacker to execute the contents of that file in the browser of a user and conduct browser-based attacks. 

Published: 2026-05-06

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises from insufficient validation of file contents during upload in the Lite Agent component of Cisco Enterprise Chat and Email. An authenticated attacker with Agent privileges can upload a file containing malicious scripts or HTML. The application then makes this file available to other users, and when viewed, the file’s contents execute in the victim’s browser, enabling attacker‑controlled browser-based attacks.

Affected Systems

The affected product is Cisco Enterprise Chat and Email (ECE), specifically the Lite Agent feature. Users with at least the Agent role are required for exploitation. No specific version range is disclosed in the advisory.

Risk and Exploitability

The advisory assigns a CVSS score of 4.3, indicating a low‑to‑medium severity. Exploitation requires valid credentials and user interaction to open the uploaded file, reducing the likelihood of widespread automated attacks. However, because the payload runs in the victim’s browser, the attack can lead to data theft, session hijacking, or further network compromise. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation so far.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Enterprise Chat and Email

unknown

Version	Status	Constraints
`11.6(1)_ES3`	affected	—
`11.6(1)_ES4`	affected	—
`12.0(1)_ES6`	affected	—
`11.6(1)_ES8`	affected	—
`12.0(1)_ES5a`	affected	—
`11.6(1)_ES9`	affected	—
`12.0(1)_ES6_ET1`	affected	—
`11.6(1)_ES6`	affected	—
`11.6(1)_ES5`	affected	—
`12.5(1)_ET1`	affected	—
`12.5(1)`	affected	—
`12.5(1)_ES3_ET1`	affected	—
`12.0(1)_ES3`	affected	—
`11.6(1)_ES11`	affected	—
`12.0(1)_ES4`	affected	—
`12.0(1)_ES5`	affected	—
`11.6(1)_ES2`	affected	—
`11.6(1)_ES9a`	affected	—
`11.6(1)_ES10`	affected	—
`12.0(1)_ES1`	affected	—
`12.0(1)`	affected	—
`12.5(1)_ES3`	affected	—
`12.6(1)`	affected	—
`11.5(1)`	affected	—
`12.0(1)_ES2`	affected	—
`11.6(1)_ES7`	affected	—
`12.5(1)_ES2`	affected	—
`12.6(1)_ET1`	affected	—
`11.6(1)`	affected	—
`12.5(1)_ES1`	affected	—
`12.6(1)_ET2`	affected	—
`12.5(1)_ES3_ET2`	affected	—
`12.0(1)_ES6_ET2`	affected	—
`12.6(1)_ES1`	affected	—
`12.5(1)_ES4`	affected	—
`11.6(1)_ES12`	affected	—
`12.6(1)_ET3`	affected	—
`12.5(1)_ES4_ET1`	affected	—
`12.0(1)_ES6_ET3`	affected	—
`12.6(1)_ES1_ET1`	affected	—
`12.6(1)_ES2`	affected	—
`12.6_ES2_ET1`	affected	—
`12.5(1)_ES5`	affected	—
`12.6_ES2_ET2`	affected	—
`12.0(1)_ES7`	affected	—
`12.6_ES2_ET3`	affected	—
`12.0(1)_ES7_ET1`	affected	—
`12.5(1)_ES5_ET1`	affected	—
`12.6_ES2_ET4`	affected	—
`12.6(1)_ES3`	affected	—
`11.6(1)_ES12_ET1`	affected	—
`12.6_ES3_ET1`	affected	—
`12.5(1)_ES6`	affected	—
`12.6_ES3_ET2`	affected	—
`12.6(1)_ES4`	affected	—
`12.5(1)_ES7`	affected	—
`12.6(1)_ES4_ET1`	affected	—
`12.6(1)_ES5`	affected	—
`12.6(1)_ES5_ET1`	affected	—
`12.6(1)_ES5_ET2`	affected	—
`12.6(1)_ES6`	affected	—
`12.6(1)_ES6_ET1`	affected	—
`12.5(1)_ES8`	affected	—
`12.6(1)_ES6_ET2`	affected	—
`12.6(1)_ES7`	affected	—
`12.6(1)_ES8`	affected	—
`12.6(1)_ES4_ET2`	affected	—
`12.6(1)_ES3_ET3`	affected	—
`12.6(1)_ES2_ET5`	affected	—
`12.6(1)_ES1_ET2`	affected	—
`12.6(1)_ES8_ET1`	affected	—
`12.6(1)_ES7_ET1`	affected	—
`12.6(1)_ES6_ET3`	affected	—
`12.6(1)_ES5_ET3`	affected	—
`12.5(1)_ES8_ET1`	affected	—
`12.5(1)_ES3_ET3`	affected	—
`12.5(1)_ES5_ET2`	affected	—
`12.5(1)_ES6_ET1`	affected	—
`12.5(1)_ES4_ET2`	affected	—
`12.5(1)_ES7_ET1`	affected	—
`12.6(1)_ES8_ET2`	affected	—
`12.6(1)_ES9`	affected	—
`12.6(1)_ES9_ET1`	affected	—
`12.5(1)_ES9`	affected	—
`12.6(1)_ES9_ET2`	affected	—
`12.6(1)_ES9_ET3`	affected	—
`12.6(1)_ES10`	affected	—
`12.6(1)_ES10_ET1`	affected	—
`15.0(1)`	affected	—
`12.6(1)_ES11`	affected	—
`15.0(1)_ET1`	affected	—
`15.0(1)ES202508`	affected	—
`12.6(1)_ES11_ET1`	affected	—
`12.6(1)_ES11_ET2`	affected	—
`12.6(1)_ES12`	affected	—
`15.0(1)ES202511`	affected	—
`12.6(1)_ES12_ET1`	affected	—
`15.0(1)ES202511_ET1`	affected	—
`12.5(1)_ES10`	affected	—

No data.

Vendor Product Confidence Versions

Cisco

Enterprise Chat And Email

91%

Version	Status	Scheme	Platform
`11.6(1)_ES3`	affected	generic	—
`11.6(1)_ES4`	affected	generic	—
`12.0(1)_ES6`	affected	generic	—
`11.6(1)_ES8`	affected	generic	—
`12.0(1)_ES5a`	affected	generic	—
`11.6(1)_ES9`	affected	generic	—
`12.0(1)_ES6_ET1`	affected	generic	—
`11.6(1)_ES6`	affected	generic	—
`11.6(1)_ES5`	affected	generic	—
`12.5(1)_ET1`	affected	generic	—
`12.5(1)`	affected	generic	—
`12.5(1)_ES3_ET1`	affected	generic	—
`12.0(1)_ES3`	affected	generic	—
`11.6(1)_ES11`	affected	generic	—
`12.0(1)_ES4`	affected	generic	—
`12.0(1)_ES5`	affected	generic	—
`11.6(1)_ES2`	affected	generic	—
`11.6(1)_ES9a`	affected	generic	—
`11.6(1)_ES10`	affected	generic	—
`12.0(1)_ES1`	affected	generic	—
`12.0(1)`	affected	generic	—
`12.5(1)_ES3`	affected	generic	—
`12.6(1)`	affected	generic	—
`11.5(1)`	affected	generic	—
`12.0(1)_ES2`	affected	generic	—
`11.6(1)_ES7`	affected	generic	—
`12.5(1)_ES2`	affected	generic	—
`12.6(1)_ET1`	affected	generic	—
`11.6(1)`	affected	generic	—
`12.5(1)_ES1`	affected	generic	—
`12.6(1)_ET2`	affected	generic	—
`12.5(1)_ES3_ET2`	affected	generic	—
`12.0(1)_ES6_ET2`	affected	generic	—
`12.6(1)_ES1`	affected	generic	—
`12.5(1)_ES4`	affected	generic	—
`11.6(1)_ES12`	affected	generic	—
`12.6(1)_ET3`	affected	generic	—
`12.5(1)_ES4_ET1`	affected	generic	—
`12.0(1)_ES6_ET3`	affected	generic	—
`12.6(1)_ES1_ET1`	affected	generic	—
`12.6(1)_ES2`	affected	generic	—
`12.6_ES2_ET1`	affected	generic	—
`12.5(1)_ES5`	affected	generic	—
`12.6_ES2_ET2`	affected	generic	—
`12.0(1)_ES7`	affected	generic	—
`12.6_ES2_ET3`	affected	generic	—
`12.0(1)_ES7_ET1`	affected	generic	—
`12.5(1)_ES5_ET1`	affected	generic	—
`12.6_ES2_ET4`	affected	generic	—
`12.6(1)_ES3`	affected	generic	—
`11.6(1)_ES12_ET1`	affected	generic	—
`12.6_ES3_ET1`	affected	generic	—
`12.5(1)_ES6`	affected	generic	—
`12.6_ES3_ET2`	affected	generic	—
`12.6(1)_ES4`	affected	generic	—
`12.5(1)_ES7`	affected	generic	—
`12.6(1)_ES5`	affected	generic	—
`12.6(1)_ES5_ET1`	affected	generic	—
`12.6(1)_ES5_ET2`	affected	generic	—
`12.6(1)_ES6`	affected	generic	—
`12.6(1)_ES6_ET1`	affected	generic	—
`12.5(1)_ES8`	affected	generic	—
`12.6(1)_ES6_ET2`	affected	generic	—
`12.6(1)_ES7`	affected	generic	—
`12.6(1)_ES8`	affected	generic	—
`12.6(1)_ES4_ET2`	affected	generic	—
`12.6(1)_ES3_ET3`	affected	generic	—
`12.6(1)_ES2_ET5`	affected	generic	—
`12.6(1)_ES1_ET2`	affected	generic	—
`12.6(1)_ES8_ET1`	affected	generic	—
`12.6(1)_ES7_ET1`	affected	generic	—
`12.6(1)_ES6_ET3`	affected	generic	—
`15.0(1)`	affected	generic	—
`12.6(1)_ES11`	affected	generic	—
`15.0(1)_ET1`	affected	generic	—
`15.0(1)ES202508`	affected	generic	—
`12.6(1)_ES11_ET1`	affected	generic	—
`12.6(1)_ES11_ET2`	affected	generic	—
`12.6(1)_ES12`	affected	generic	—
`15.0(1)ES202511`	affected	generic	—
`12.6(1)_ES12_ET1`	affected	generic	—
`15.0(1)ES202511_ET1`	affected	generic	—
`12.5(1)_ES10`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Cisco Enterprise Chat and Email to the latest release that includes the fixed file‑upload validation.
If a patch is not immediately available, restrict the file types accepted by the Lite Agent upload interface to only those required for normal operation and disable execution of any uploaded content by configuring the web server or CMS to serve uploads as static files.
Audit existing uploads to remove any files containing executable scripts or HTML and implement content scanning or sandboxing for future uploads to ensure that only safe content is delivered to users.

Generated by OpenCVE AI on May 6, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-lite-agent-BCgSN8eb

History

Thu, 07 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco enterprise Chat And Email
Vendors & Products		Cisco Cisco enterprise Chat And Email

Wed, 06 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 06 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent. This vulnerability is due to inadequate validation of file contents during file upload operations. An attacker could exploit this vulnerability by uploading a file that contains malicious scripts or HTML code, which the application could make available to other users to access. A successful exploit could allow the attacker to execute the contents of that file in the browser of a user and conduct browser-based attacks.
Title		Cisco Enterprise Chat and Email Lite Agent File Upload Vulnerability
Weaknesses		CWE-646
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-lite-agent-BCgSN8eb
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Cisco Enterprise Chat And Email

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-05-06T16:15:37.789Z

Updated: 2026-05-06T17:46:04.178Z

Reserved: 2025-10-08T11:59:15.391Z

Link: CVE-2026-20172

Vulnrichment

Updated: 2026-05-06T17:45:59.805Z

NVD

Status : Awaiting Analysis

Published: 2026-05-06T17:16:20.880

Modified: 2026-05-06T18:59:53.230

Link: CVE-2026-20172

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T20:15:15Z

Weaknesses

CWE-646

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object