CVE-2026-20061 | THREATINT

Description

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device.

PUBLISHED Reserved 2025-10-08 | Published 2026-04-15 | Updated 2026-04-15 | Assigner cisco

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unknown

affected

14SU1

affected

14SU2

affected

14SU3

affected

14SU3a

affected

15SU1

affected

14SU4

affected

15SU2

affected

15SU3

affected

14SU5

affected

References

sec.cloudapps.cisco.com/...ory/cisco-sa-unity-vulns-n2EJSbbw (cisco-sa-unity-vulns-n2EJSbbw)

cve.org (CVE-2026-20061)

nvd.nist.gov (CVE-2026-20061)

Download JSON