Medium severity4.8NVD Advisory· Published Jan 21, 2026· Updated Apr 15, 2026

CVE-2026-20109

Description

Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web-based management interface allow authenticated attackers to inject malicious script.

Vulnerability

Overview Multiple cross-site scripting (XSS) vulnerabilities exist in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE). The root cause is improper validation of user-supplied input, allowing injection of malicious code into specific pages of the interface [1].

Exploitation

Conditions An attacker must have valid administrative credentials to exploit these vulnerabilities. With authenticated access, the attacker can inject malicious script into the management interface, which then executes when a user views the affected page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information [1].

Mitigation

Cisco has released software updates to address these vulnerabilities. There are no workarounds available [1].

References

Cisco Security Advisory: Cisco Packaged Contact Center Enterprise and Cisco Unified Contact Center Enterprise Cross-Site Scripting Vulnerabilities

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./Unified Contact Center Enterprisellm-fuzzy
Cisco Systems, Inc./Ip Contact Center Enterprisellm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucce-pcce-xss-2JVyg3uDnvd

News mentions

No linked articles in our index yet.

cvss	0.312
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000