CVE-2026-20061

MEDIUM

Cisco Unity Connection SQL Injection Vulnerability

Title source: cna

Description

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-vulns-n2EJSbbw

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 8.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-89

Status published

Products (11)

Cisco/Cisco Unity Connection 14

Cisco/Cisco Unity Connection 14SU1

Cisco/Cisco Unity Connection 14SU2

Cisco/Cisco Unity Connection 14SU3

Cisco/Cisco Unity Connection 14SU3a

Cisco/Cisco Unity Connection 14SU4

Cisco/Cisco Unity Connection 14SU5

Cisco/Cisco Unity Connection 15

Cisco/Cisco Unity Connection 15SU1

Cisco/Cisco Unity Connection 15SU2

... and 1 more

Published Apr 15, 2026

Tracked Since Apr 15, 2026