Medium severity4.8NVD Advisory· Published Apr 1, 2026· Updated Apr 3, 2026

CVE-2026-20089

Description

A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with administrative privileges to conduct a stored XSS attack against a user of the interface.

This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in Cisco IMC web management interface allows authenticated admin to execute arbitrary script in another user's browser via crafted link.

Vulnerability

Overview CVE-2026-20089 is a stored cross-site scripting (XSS) vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC). The root cause is insufficient validation of user input, allowing an attacker to inject malicious script that is stored on the server and later served to other users [1].

Exploitation

Conditions To exploit this vulnerability, an attacker must be authenticated with administrative privileges on the affected Cisco IMC instance. The attacker then crafts a malicious link and persuades a user of the interface to click it. No additional network access is required beyond the management interface [1].

Impact

Successful exploitation enables the attacker to execute arbitrary script code in the browser of the targeted user. This could lead to theft of session tokens, manipulation of interface content, or access to sensitive browser-based information [1].

Mitigation

Cisco has released software updates that address this vulnerability. There are no workarounds. Affected products include 5000 Series ENCS, Catalyst 8300 Series Edge uCPE, UCS C-Series M5/M6, and UCS E-Series M3/M6 servers [1].

References

Cisco Security Advisory: Cisco Integrated Management Controller Cross-Site Scripting Vulnerabilities

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./IMCllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-xss-A2tkgVABnvd

News mentions

No linked articles in our index yet.

cvss	0.312
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000