CVE-2026-20059
Received Received - Intake
Reflected XSS in Cisco Unity Connection Web Interface

Publication date: 2026-04-15

Last updated on: 2026-04-28

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20059
EUVD
EUVD-2026-22951
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
cisco unity_connection 14.0
cisco unity_connection 14su3
cisco unity_connection 14su2
cisco unity_connection 14su1
cisco unity_connection 14su3a
cisco unity_connection 14su4
cisco unity_connection 14su5
cisco unity_connection 15.0
cisco unity_connection 15su1
cisco unity_connection 15su2
cisco unity_connection 15su3
cisco unity_connection to 12.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the web-based management interface of Cisco Unity Connection. It allows an unauthenticated, remote attacker to perform a reflected Cross-Site Scripting (XSS) attack against a user of the interface.

The issue arises because the interface does not properly validate user-supplied input. An attacker can exploit this by convincing a user to click on a specially crafted link, which then executes arbitrary script code within the context of the affected interface.

Compliance Impact

This vulnerability allows an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack, potentially enabling execution of arbitrary script code or access to sensitive browser-based information.

Such unauthorized access to sensitive information could lead to violations of data protection requirements under standards like GDPR and HIPAA, which mandate safeguarding personal and health information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could negatively impact compliance with these regulations by exposing sensitive data through the affected web interface.

Impact Analysis

If exploited, this vulnerability could allow an attacker to execute arbitrary scripts in the context of the web-based management interface.

This could lead to unauthorized access to sensitive browser-based information or actions performed on behalf of the user, potentially compromising the security and integrity of the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20059. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart