Cisco Packaged CCE XSS via Authenticated Web UI
CVE-2026-20109 Published on January 21, 2026

Cisco Packaged Contact Center Enterprise and Cisco Unified Contact Center Enterprise Cross-Site Scripting Vulnerability
Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.  These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.

NVD

Vulnerability Analysis

CVE-2026-20109 can be exploited with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

HIGH

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-20109 has been classified to as a XSS vulnerability or weakness.

Products Associated with CVE-2026-20109

stack.watch emails you whenever new vulnerabilities are published in Cisco Packaged Contact Center Enterprise or Cisco Unified Contact Center Enterprise. Just hit a watch button to start following.

Cisco Packaged Contact Center Enterprise

Cisco Unified Contact Center Enterprise

Affected Versions

Cisco Packaged Contact Center Enterprise:

Version 12.5(1) is affected.
Version 11.0(1) is affected.
Version 12.0(1) is affected.
Version 11.0(2) is affected.
Version 11.5(1) is affected.
Version 10.5(1) is affected.
Version 10.5(2) is affected.
Version 11.6(2) is affected.
Version 10.5(1)_ES7 is affected.
Version 11.6(1) is affected.
Version 10.5(2)_ES8 is affected.
Version 12.6(1) is affected.
Version 12.5(2) is affected.
Version 12.6(2) is affected.
Version 15.0(1) is affected.

Cisco Unified Contact Center Enterprise:

Version 12.6(1)ES3 is affected.
Version 12.6(1)ES1 is affected.
Version 12.6(1) is affected.
Version 12.6(1)ES2 is affected.
Version 12.6(1)SecurityPatch is affected.
Version 12.5(1)ES1 is affected.
Version 12.5(1) is affected.
Version 12.6(1)ES4 is affected.
Version 11.0(1) is affected.
Version 10.5(1) is affected.
Version 12.0(1) is affected.
Version 10.5 is affected.
Version 11.0 is affected.
Version 11.5 is affected.
Version 12.6(2) is affected.
Version 12.6(2)ES1 is affected.
Version 12.6(2)ES2 is affected.
Version 15.0(1) is affected.
Version 12.6(2)ES3 is affected.
Version 15.0(1)ET01 is affected.
Version 15.0(1)_SP1 is affected.
Version 15.0(1)ES202508 is affected.
Version 12.6(2)_ES is affected.

Exploit Probability

EPSS

0.04%

Percentile

11.81%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.