CVE-2026-20091 is a stored cross-site scripting vulnerability found in the web-based management interface of Cisco Firepower Extensible Operating System (FXOS) and Cisco UCS Manager Software. This vulnerability arises from insufficient validation and neutralization of user-supplied input during web page generation, allowing malicious script injection. An attacker with valid administrator or AAA administrator credentials can inject malicious JavaScript payloads into specific pages of the management interface. When a legitimate user accesses these pages, the injected script executes within their browser context, potentially leading to theft of session tokens, unauthorized actions, or exposure of sensitive information accessible via the browser. The vulnerability affects several FXOS versions, notably 2.14.1.131, 2.14.1.143, 2.14.1.163, 2.14.1.167, and 2.16.0.128. Exploitation requires both authentication and user interaction, limiting the attack vector to insiders or compromised accounts. The vulnerability has a CVSS 3.1 base score of 4.8, indicating medium severity due to its limited impact scope and exploitation complexity. No public exploits or active exploitation have been reported to date. The root cause is inadequate input sanitization in the web interface, a common issue in web applications that handle administrative functions. Cisco has published advisories recommending updates and best practices to mitigate this risk.

The primary impact of CVE-2026-20091 is the potential compromise of confidentiality and integrity within the Cisco FXOS management interface. An attacker exploiting this vulnerability could execute arbitrary scripts in the context of an administrator's browser session, potentially stealing session cookies, performing unauthorized actions, or manipulating the interface to disrupt management operations. While availability is not directly affected, the breach of administrative control could lead to further attacks or misconfigurations impacting network security. Organizations relying on Cisco FXOS for firewall and security appliance management could face increased risk of insider threats or lateral movement if credentials are compromised. The requirement for valid administrator credentials and user interaction limits the threat to environments where attackers have already gained some level of access, but the consequences remain significant given the privileged nature of the interface. This vulnerability could facilitate persistent access or data exfiltration in targeted attacks against critical network infrastructure.

1. Apply official Cisco patches or updates for FXOS versions affected by CVE-2026-20091 as soon as they become available to ensure the vulnerability is remediated. 2. Restrict administrative access to the FXOS management interface using network segmentation, VPNs, or access control lists to limit exposure to trusted personnel only. 3. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), for all administrator accounts to reduce the risk of credential compromise. 4. Regularly audit and monitor administrator account usage and login activity to detect suspicious behavior indicative of compromised credentials. 5. Educate administrators about the risks of phishing and social engineering that could lead to credential theft and subsequent exploitation of this vulnerability. 6. Consider implementing Content Security Policy (CSP) headers and other browser security features to mitigate the impact of XSS attacks where possible. 7. Review and sanitize all user inputs in custom configurations or integrations with the FXOS interface to prevent injection of malicious scripts. 8. Limit the number of users with administrator or AAA administrator roles to the minimum necessary to reduce the attack surface.