CVE-2026-20047

EPSS 0.01%
Veröffentlicht 15.01.2026 16:32:15
Zuletzt bearbeitet 30.01.2026 19:58:27
Quelle psirt@cisco.com
CVE-Watchlists
Login
Unerledigt
Login

Cisco Identity Services Engine Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 22 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Identity Services Engine Version < 3.2

Cisco ≫ Identity Services Engine Version3.2.0 Update-

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch1

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch2

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch3

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch4

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch5

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch6

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch7

Cisco ≫ Identity Services Engine Version3.3.0

Cisco ≫ Identity Services Engine Version3.3.0 Update-

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch1

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch2

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch3

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch4

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch5

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch6

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch7

Cisco ≫ Identity Services Engine Version3.4.0 Update-

Cisco ≫ Identity Services Engine Version3.4.0 Updatepatch1

Cisco ≫ Identity Services Engine Version3.4.0 Updatepatch2

Cisco ≫ Identity Services Engine Version3.4.0 Updatepatch3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.021

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
psirt@cisco.com	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-964cdxW5

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-20047

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-20047

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-20047

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-20047