CVE-2026-20112

EUVD-2026-15442
A vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

 This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
ciscoCNA
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
ciscoios_xe
16.6.1
ciscoios_xe
16.6.2
ciscoios_xe
16.6.3
ciscoios_xe
16.6.4
ciscoios_xe
16.6.5
ciscoios_xe
16.6.4a
ciscoios_xe
16.6.5a
ciscoios_xe
16.6.6
ciscoios_xe
16.6.7
ciscoios_xe
16.6.8
ciscoios_xe
16.6.9
ciscoios_xe
16.6.10
ciscoios_xe
16.7.1
ciscoios_xe
16.7.1a
ciscoios_xe
16.7.1b
ciscoios_xe
16.7.2
ciscoios_xe
16.7.3
ciscoios_xe
16.7.4
ciscoios_xe
16.8.1
ciscoios_xe
16.8.1a
ciscoios_xe
16.8.1b
ciscoios_xe
16.8.1s
ciscoios_xe
16.8.1c
ciscoios_xe
16.8.1d
ciscoios_xe
16.8.2
ciscoios_xe
16.8.1e
ciscoios_xe
16.8.3
ciscoios_xe
16.9.1
ciscoios_xe
16.9.2
ciscoios_xe
16.9.1a
ciscoios_xe
16.9.1b
ciscoios_xe
16.9.1s
ciscoios_xe
16.9.3
ciscoios_xe
16.9.4
ciscoios_xe
16.9.5
ciscoios_xe
16.9.5f
ciscoios_xe
16.9.6
ciscoios_xe
16.9.7
ciscoios_xe
16.9.8
ciscoios_xe
16.10.1
ciscoios_xe
16.10.1a
ciscoios_xe
16.10.1b
ciscoios_xe
16.10.1s
ciscoios_xe
16.10.1c
ciscoios_xe
16.10.1e
ciscoios_xe
16.10.1d
ciscoios_xe
16.10.2
ciscoios_xe
16.10.1f
ciscoios_xe
16.10.1g
ciscoios_xe
16.10.3
ciscoios_xe
16.11.1
ciscoios_xe
16.11.1a
ciscoios_xe
16.11.1b
ciscoios_xe
16.11.2
ciscoios_xe
16.11.1s
ciscoios_xe
16.12.1
ciscoios_xe
16.12.1s
ciscoios_xe
16.12.1a
ciscoios_xe
16.12.1c
ciscoios_xe
16.12.1w
ciscoios_xe
16.12.2
ciscoios_xe
16.12.1y
ciscoios_xe
16.12.2a
ciscoios_xe
16.12.3
ciscoios_xe
16.12.8
ciscoios_xe
16.12.2s
ciscoios_xe
16.12.1x
ciscoios_xe
16.12.1t
ciscoios_xe
16.12.4
ciscoios_xe
16.12.3s
ciscoios_xe
16.12.3a
ciscoios_xe
16.12.4a
ciscoios_xe
16.12.5
ciscoios_xe
16.12.6
ciscoios_xe
16.12.1z1
ciscoios_xe
16.12.5a
ciscoios_xe
16.12.5b
ciscoios_xe
16.12.1z2
ciscoios_xe
16.12.6a
ciscoios_xe
16.12.7
ciscoios_xe
16.12.10a
ciscoios_xe
16.12.11
ciscoios_xe
17.1.1
ciscoios_xe
17.1.1a
ciscoios_xe
17.1.1s
ciscoios_xe
17.1.1t
ciscoios_xe
17.1.3
ciscoios_xe
17.2.1
ciscoios_xe
17.2.1r
ciscoios_xe
17.2.1a
ciscoios_xe
17.2.1v
ciscoios_xe
17.2.2
ciscoios_xe
17.2.3
ciscoios_xe
17.3.1
ciscoios_xe
17.3.2
ciscoios_xe
17.3.3
ciscoios_xe
17.3.1a
ciscoios_xe
17.3.1w
ciscoios_xe
17.3.2a
ciscoios_xe
17.3.1x
ciscoios_xe
17.3.1z
ciscoios_xe
17.3.4
ciscoios_xe
17.3.5
ciscoios_xe
17.3.4a
ciscoios_xe
17.3.6
ciscoios_xe
17.3.4b
ciscoios_xe
17.3.4c
ciscoios_xe
17.3.5a
ciscoios_xe
17.3.5b
ciscoios_xe
17.3.7
ciscoios_xe
17.3.8
ciscoios_xe
17.3.8a
ciscoios_xe
17.4.1
ciscoios_xe
17.4.2
ciscoios_xe
17.4.1a
ciscoios_xe
17.4.1b
ciscoios_xe
17.4.2a
ciscoios_xe
17.5.1
ciscoios_xe
17.5.1a
ciscoios_xe
17.6.1
ciscoios_xe
17.6.2
ciscoios_xe
17.6.1w
ciscoios_xe
17.6.1a
ciscoios_xe
17.6.1x
ciscoios_xe
17.6.3
ciscoios_xe
17.6.1y
ciscoios_xe
17.6.1z
ciscoios_xe
17.6.3a
ciscoios_xe
17.6.4
ciscoios_xe
17.6.1z1
ciscoios_xe
17.6.5
ciscoios_xe
17.6.6
ciscoios_xe
17.6.6a
ciscoios_xe
17.6.5a
ciscoios_xe
17.6.7
ciscoios_xe
17.6.8
ciscoios_xe
17.6.8a
ciscoios_xe
17.7.1
ciscoios_xe
17.7.1a
ciscoios_xe
17.7.1b
ciscoios_xe
17.7.2
ciscoios_xe
17.10.1
ciscoios_xe
17.10.1a
ciscoios_xe
17.10.1b
ciscoios_xe
17.8.1
ciscoios_xe
17.8.1a
ciscoios_xe
17.9.1
ciscoios_xe
17.9.1w
ciscoios_xe
17.9.2
ciscoios_xe
17.9.1a
ciscoios_xe
17.9.1x
ciscoios_xe
17.9.1y
ciscoios_xe
17.9.3
ciscoios_xe
17.9.2a
ciscoios_xe
17.9.1x1
ciscoios_xe
17.9.3a
ciscoios_xe
17.9.4
ciscoios_xe
17.9.1y1
ciscoios_xe
17.9.5
ciscoios_xe
17.9.4a
ciscoios_xe
17.9.5a
ciscoios_xe
17.9.5b
ciscoios_xe
17.9.6
ciscoios_xe
17.9.6a
ciscoios_xe
17.9.7
ciscoios_xe
17.9.5e
ciscoios_xe
17.9.5f
ciscoios_xe
17.9.8
ciscoios_xe
17.9.7a
ciscoios_xe
17.9.7b
ciscoios_xe
17.11.1
ciscoios_xe
17.11.1a
ciscoios_xe
17.12.1
ciscoios_xe
17.12.1w
ciscoios_xe
17.12.1a
ciscoios_xe
17.12.1x
ciscoios_xe
17.12.2
ciscoios_xe
17.12.3
ciscoios_xe
17.12.2a
ciscoios_xe
17.12.1y
ciscoios_xe
17.12.1z
ciscoios_xe
17.12.4
ciscoios_xe
17.12.3a
ciscoios_xe
17.12.1z1
ciscoios_xe
17.12.1z2
ciscoios_xe
17.12.4a
ciscoios_xe
17.12.5
ciscoios_xe
17.12.4b
ciscoios_xe
17.12.1z3
ciscoios_xe
17.12.5a
ciscoios_xe
17.12.1z4
ciscoios_xe
17.12.6
ciscoios_xe
17.12.5b
ciscoios_xe
17.12.5c
ciscoios_xe
17.12.6a
ciscoios_xe
17.12.5d
ciscoios_xe
17.12.1z5
ciscoios_xe
17.12.1z6
ciscoios_xe
17.12.6b
ciscoios_xe
17.13.1
ciscoios_xe
17.13.1a
ciscoios_xe
17.14.1
ciscoios_xe
17.14.1a
ciscoios_xe
17.15.1
ciscoios_xe
17.15.1w
ciscoios_xe
17.15.1a
ciscoios_xe
17.15.2
ciscoios_xe
17.15.1b
ciscoios_xe
17.15.1x
ciscoios_xe
17.15.1z
ciscoios_xe
17.15.3
ciscoios_xe
17.15.2c
ciscoios_xe
17.15.2a
ciscoios_xe
17.15.1y
ciscoios_xe
17.15.2b
ciscoios_xe
17.15.3a
ciscoios_xe
17.15.4
ciscoios_xe
17.15.3b
ciscoios_xe
17.15.4d
ciscoios_xe
17.15.4e
ciscoios_xe
17.16.1
ciscoios_xe
17.16.1a
ciscoios_xe
17.17.1
ciscoios_xe
17.18.1
ciscoios_xe
17.18.1w
ciscoios_xe
17.18.1a
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-xss-LpGkzwtJ