CVE-2026-20061
Received Received - Intake
SQL Injection in Cisco Unity Connection Web Interface Allows Data Access

Publication date: 2026-04-15

Last updated on: 2026-04-28

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20061
EUVD
EUVD-2026-22955
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
cisco unity_connection 14.0
cisco unity_connection 14su3
cisco unity_connection 14su2
cisco unity_connection 14su1
cisco unity_connection 14su3a
cisco unity_connection 14su4
cisco unity_connection 14su5
cisco unity_connection 15.0
cisco unity_connection 15su1
cisco unity_connection 15su2
cisco unity_connection 15su3
cisco unity_connection to 12.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the web-based management interface of Cisco Unity Connection. It allows an authenticated remote attacker to perform an SQL injection attack by sending a specially crafted HTTP(S) request. The attacker must have valid user credentials to exploit this issue.

The root cause is insufficient validation of user-supplied input, which enables the attacker to manipulate SQL queries executed by the device.

A successful exploit could allow the attacker to view data stored on the affected device.

Compliance Impact

This vulnerability allows an authenticated remote attacker to perform an SQL injection attack, potentially enabling unauthorized viewing of data on the affected device.

Such unauthorized data access could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

Therefore, if exploited, this vulnerability could negatively impact compliance by exposing protected data.

Impact Analysis

If exploited, this vulnerability could allow an attacker with valid credentials to view sensitive data on the affected Cisco Unity Connection device.

Although the attacker cannot modify or delete data (as indicated by the CVSS impact metrics), unauthorized data disclosure could lead to privacy breaches or information leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20061. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart