CVE-2026-20055
Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials.
EPSS 0.06% · 19.3th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Cisco Unified Contact Center Enterprise | 12.6(1)ES3, 12.6(1)ES1, 12.6(1)ES2 |
| Cisco | Cisco Packaged Contact Center Enterprise | 12.5(1), 11.0(1), 12.0(1) |
Exploit Intelligence
- CIRCL seen: CVE-2026-20055 (circl-sighting)
- cisco-sa-ucce-pcce-xss-2JVyg3uD (circl)
- CVE-2026-20055.json (github-poc)
- CVE-2026-20055.json (github-poc)
- CVE-2026-20055.json (github-poc)
- CVE-2026-20055.json (github-poc)
- CVE-2026-20055.json (github-poc)
Timeline
- Jan 21, 2026 CVE Published
- Jan 21, 2026 PoC Published
- Jan 22, 2026 EPSS Score
- Jan 25, 2026 EPSS Score
- Jan 27, 2026 EPSS Score
- Jan 30, 2026 EPSS Score
- Feb 2, 2026 EPSS Score
- Feb 4, 2026 EPSS Score
- Feb 7, 2026 EPSS Score
- Feb 10, 2026 EPSS Score
- Feb 13, 2026 EPSS Score
- Feb 15, 2026 EPSS Score