Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in the web-based user interface of Cisco Webex Meetings could have allowed an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. Cisco has addressed this vulnerability in the Webex Meetings service, and no customer action is needed.
This vulnerability existed because of insufficient validation of user input. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information.
AnalysisAI
Cross-site scripting in Cisco Webex Meetings' web-based UI allowed unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by persuading them to follow a crafted malicious link. Insufficient input validation (CWE-79) in the Webex Meetings web interface is the root cause; the Changed Scope (S:C) in the CVSS vector indicates impact extends beyond the Webex application into the broader browser context, enabling session theft or browser-based data access. Cisco has fully remediated this server-side in the Webex cloud service, and no customer action is required. No public exploit code identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a classic reflected XSS pattern where attacker-controlled input is embedded into a web response without adequate sanitization or encoding. The affected product, identified by CPE cpe:2.3:a:cisco:cisco_webex_meetings:*:*:*:*:*:*:*:*, is Cisco Webex Meetings - a cloud-hosted SaaS collaboration platform accessed primarily through a browser-based UI. Because the application is entirely cloud-delivered, the exploitable surface is Cisco's own infrastructure rather than customer-deployed software. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N confirms network exploitation, no privileges required, but with mandatory user interaction, and a scope change indicating the injected script can affect resources outside the Webex application boundary (e.g., reading cross-origin cookies or executing in the user's browser session).
RemediationAI
Cisco has already patched this vulnerability directly within the Webex Meetings cloud infrastructure - no customer action is required, and no on-premises patch or configuration change is needed. Because this is a cloud-delivered SaaS product, all users accessing the Webex Meetings web interface are automatically protected following Cisco's server-side remediation. Organizations should verify their security ticketing reflects this as vendor-resolved, and can reference Cisco Security Advisory cisco-sa-webex-xss-jw3NeQzS at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-jw3NeQzS for closure documentation. Prior to the fix being applied, a compensating control would have been to train users to avoid clicking unsolicited or unexpected Webex meeting links, and to use browser content security policy (CSP) extensions to limit script execution - though these are no longer necessary given the server-side fix.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34135
GHSA-474g-pxq3-xp9q