CVE-2026-20109: The Call Is Coming From Inside The House: Cisco CCE Stored XSS

#security #cve #cybersecurity

The Call Is Coming From Inside The House: Cisco CCE Stored XSS

Vulnerability ID: CVE-2026-20109
CVSS Score: 4.8
Published: 2026-01-21

A classic Stored Cross-Site Scripting (XSS) vulnerability lurking in the administrative heart of Cisco's enterprise contact center solutions. While it requires high privileges to plant, it serves as a perfect persistence mechanism for attackers looking to ambush senior administrators.

TL;DR

Cisco Unified and Packaged Contact Center Enterprise (CCE) contain a Stored XSS vulnerability in their web management interface. Authenticated attackers with administrative access can inject malicious scripts into configuration fields, which subsequently execute in the browsers of other administrators viewing those fields. Patches are available.

Technical Details

CWE ID: CWE-79
CVSS Score: 4.8 (Medium)
Attack Vector: Network (Authenticated)
Privileges Required: High (Admin)
Exploit Status: None (No public PoC)
EPSS Score: 0.00036 (Low Probability)

Affected Systems

Cisco Packaged Contact Center Enterprise (Packaged CCE) 10.x through 15.x
Cisco Unified Contact Center Enterprise (Unified CCE) 10.x through 15.x
Packaged CCE: 10.0 - 12.6(2) (Fixed in: See Vendor Advisory)
Unified CCE: 10.0 - 15.0(1) (Fixed in: See Vendor Advisory)

Mitigation Strategies

Input Sanitization
Output Encoding
Content Security Policy (CSP)
Session Management

Remediation Steps:

Identify the running version of Cisco Packaged CCE or Unified CCE.
Compare against the Cisco Advisory version table (e.g., upgrade 12.6(1) to 12.6(1)ES4 or later).
Apply the appropriate Engineering Special (ES) or Service Pack provided by Cisco.
After patching, force a logout for all administrative sessions to invalidate potentially compromised tokens.