CVE-2026-5922 PUBLISHED

Poly Voice – Potential Unauthorized Modification of WebUI using XSS Attack

Assigner: hp
Reserved: 08.04.2026 Published: 08.07.2026 Updated: 09.07.2026

The IP phone might use malicious input stored in configuration parameters and render it as content for the WebUI’s webpage.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.9

Product Status

Vendor HP Inc.
Product Poly CCX
Versions Default: unknown
  • affected from 0 to 9.5.0 (excl.)
Vendor HP Inc.
Product Poly Edge E
Versions Default: unknown
  • affected from 0 to 8.6.0 (excl.)
Vendor HP Inc.
Product Poly Trio C60
Versions Default: unknown
  • affected from 0 to 9.5.0 (excl.)

References

Problem Types

  • CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE