CVE-2026-20059
Reflected XSS in Cisco Unity Connection Web Interface
Publication date: 2026-04-15
Last updated on: 2026-04-28
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | unity_connection | 14.0 |
| cisco | unity_connection | 14su3 |
| cisco | unity_connection | 14su2 |
| cisco | unity_connection | 14su1 |
| cisco | unity_connection | 14su3a |
| cisco | unity_connection | 14su4 |
| cisco | unity_connection | 14su5 |
| cisco | unity_connection | 15.0 |
| cisco | unity_connection | 15su1 |
| cisco | unity_connection | 15su2 |
| cisco | unity_connection | 15su3 |
| cisco | unity_connection | to 12.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the web-based management interface of Cisco Unity Connection. It allows an unauthenticated, remote attacker to perform a reflected Cross-Site Scripting (XSS) attack against a user of the interface.
The issue arises because the interface does not properly validate user-supplied input. An attacker can exploit this by convincing a user to click on a specially crafted link, which then executes arbitrary script code within the context of the affected interface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack, potentially enabling execution of arbitrary script code or access to sensitive browser-based information.
Such unauthorized access to sensitive information could lead to violations of data protection requirements under standards like GDPR and HIPAA, which mandate safeguarding personal and health information against unauthorized access and breaches.
Therefore, exploitation of this vulnerability could negatively impact compliance with these regulations by exposing sensitive data through the affected web interface.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute arbitrary scripts in the context of the web-based management interface.
This could lead to unauthorized access to sensitive browser-based information or actions performed on behalf of the user, potentially compromising the security and integrity of the affected system.