Cisco FXOS and UCS Manager Interface Allows Malicious Script Code Execution

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.8

Cisco FXOS and UCS Manager Interface Allows Malicious Script Code Execution

CVE-2026-20091

Summary

An attacker with admin credentials can inject malicious code into the interface, potentially allowing them to execute unauthorized scripts or access sensitive information. This affects Cisco FXOS Software and Cisco UCS Manager Software, and administrators should ensure they only grant admin access to trusted users and regularly review interface input validation.

Original title

Original description

A vulnerability in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface.

This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious data into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials for a user account with the role of Administrator or AAA Administrator. 

nvd CVSS3.1 4.8

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...

Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026