Medium severity4.8NVD Advisory· Published Feb 25, 2026· Updated Apr 15, 2026

CVE-2026-20091

Description

A vulnerability in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface.

This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious data into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials for a user account with the role of Administrator or AAA Administrator.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Cisco FXOS and UCS Manager web interfaces allows authenticated administrators to inject scripts, potentially leading to session hijacking or data theft.

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software. The root cause is insufficient validation of user-supplied input by the interface [1]. This allows an authenticated attacker to store malicious scripts that will be executed when other users access the affected pages.

Exploitation

Conditions

To exploit this vulnerability, an attacker must have valid credentials for a user account with the role of Administrator or AAA Administrator [1]. The attacker injects malicious data into specific pages of the interface. No additional network access or user interaction beyond the victim viewing the page is required.

Impact

A successful exploit enables the attacker to execute arbitrary script code in the context of the affected interface. This could lead to session hijacking, defacement, or access to sensitive browser-based information such as cookies or session tokens [1].

Mitigation

Cisco has released software updates to address this vulnerability. The advisory recommends upgrading to a fixed release as the only complete remediation. No workarounds are provided; any temporary mitigations are considered interim solutions [1].

References

Cisco Security Advisory: Cisco FXOS and UCS Manager Software Stored Cross-Site Scripting Vulnerability

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./FXOS Softwarellm-fuzzy
Cisco Systems, Inc./UCS Manager Softwarellm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsfxosxss-7skVE8Zvnvd

News mentions

No linked articles in our index yet.

cvss	0.312
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000