Medium severity4.8NVD Advisory· Published Jan 21, 2026· Updated Apr 15, 2026

CVE-2026-20055

Description

Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cisco Packaged CCE and Unified CCE have multiple XSS vulnerabilities allowing authenticated remote attackers to execute script in the web management interface.

Multiple cross-site scripting (XSS) vulnerabilities exist in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE). The vulnerabilities stem from improper validation of user-supplied input by the interface, enabling an attacker to inject malicious code into specific pages. [1]

To exploit these vulnerabilities, an attacker must have valid administrative credentials and be authenticated to the affected device. The attacker can then inject script code into the web management interface, which will be executed in the context of the interface when viewed by another administrator. [1]

A successful exploit could allow the attacker to execute arbitrary script code or access sensitive browser-based information. This could lead to further compromise within the administrative environment. [1]

Cisco has released software updates to address these vulnerabilities. There are no workarounds available. Administrators are advised to apply the patches as soon as possible. [1]

References

Cisco Security Advisory: Cisco Packaged Contact Center Enterprise and Cisco Unified Contact Center Enterprise Cross-Site Scripting Vulnerabilities

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./Unified Contact Center Enterprisellm-fuzzy
Cisco Systems, Inc./Ip Contact Center Enterprisellm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucce-pcce-xss-2JVyg3uDnvd

News mentions

No linked articles in our index yet.

cvss	0.312
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000