VDB
CVE-2026-20172
CVE-2026-20172
PUBLISHED
CVSS 4.300000190734863 MEDIUM
A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent. This vulnerability is due to inadequate validation of file contents during file upload operations. An attacker could exploit this vulnerability by uploading a file that contains malicious scripts or HTML code, which the application could make available to other users to access. A successful exploit could allow the attacker to execute the contents of that file in the browser of a user and conduct browser-based attacks.
EPSS 0.02% · 6.5th percentile
Risk Scores
CVSS 3.1
4.300000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score
0.02%
6.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Cisco Enterprise Chat and Email | 12.0(1)_ES6, 12.0(1)_ES5a, 12.0(1)_ES6_ET1 |
Exploit Intelligence
- cisco-sa-ece-lite-agent-BCgSN8eb (circl)
Timeline
- May 6, 2026 CVE Published
- May 6, 2026 Security Advisory
- May 6, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score