CVE-2026-20091
A vulnerability in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious data into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials for a user account with the role of Administrator or AAA Administrator.
EPSS 0.04% · 14.5th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Cisco Unified Computing System (Managed) | *, *, * |
| Cisco | Cisco Secure Firewall Adaptive Security Appliance (ASA) Software | 9.12.1.2, 9.12.3.7, 9.12.3.9 |
| Cisco | Cisco Firepower Extensible Operating System (FXOS) | 2.14.1.131, 2.14.1.143, 2.16.0.128 |
Exploit Intelligence
- cisco-sa-ucsfxosxss-7skVE8Zv (circl)
Timeline
- Oct 8, 2025 CVE ID Reserved
- Feb 25, 2026 CVE Published
- Feb 25, 2026 CVE Updated
- Feb 26, 2026 EPSS Score
- Feb 27, 2026 EPSS Score
- Mar 1, 2026 EPSS Score
- Mar 2, 2026 EPSS Score
- Mar 4, 2026 EPSS Score
- Mar 5, 2026 EPSS Score
- Mar 7, 2026 EPSS Score
- Mar 8, 2026 EPSS Score
- Mar 10, 2026 EPSS Score