CVE-2026-20061SQL Injection in Cisco Unity Connection

CWE-89SQL Injection4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 93.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco Unity Connection
Timeline
PublishedApr 15

Description

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affect

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5cisco/cisco_unity_connection11 versions+10

🔴Vulnerability Details

3
CVEList
Cisco Unity Connection SQL Injection Vulnerability2026-04-15
GHSA
GHSA-3w73-fhv4-qr7q: A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL inject2026-04-15
VulDB
Cisco Unity Connection up to 15SU3 Web-based Management Interface sql injection (cisco-sa-unity-vulns-n2EJSbbw / EUVD-2026-22955)2026-04-15
CVE-2026-20061 — SQL Injection in Cisco | cvebase