CVE-2026-20059 | Cisco Unity Connection up to 15SU4 Web-based Management Interface cross site scripting (cisco-sa-unity-vulns-n2EJSbbw / EUVD-2026-22951)

VDB-357754 · CVE-2026-20059 · EUVD-2026-22951 CISCO UNITY CONNECTION UP TO 15SU4 WEB-BASED MANAGEMENT INTERFACE CROSS SITE SCRIPTING HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.1 $0-$5k 4.47+ Summaryinfo A vulnerability described as problematic has been identified in Cisco Unity Connection up to 15SU4. Affected by this issue is some unknown functionality of the component Web-based Management Interface. Executing a manipulation can lead to cross site scripting. The identification of this vulnerability is CVE-2026-20059. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is recommended. Detailsinfo A vulnerability has been found in Cisco Unity Connection up to 15SU4 and classified as problematic. This vulnerability affects an unknown code block of the component Web-based Management Interface. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. CVE summarizes: A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. The advisory is available at sec.cloudapps.cisco.com. This vulnerability was named CVE-2026-20059 since 10/08/2025. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 04/15/2026). This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project. Upgrading eliminates this vulnerability. The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-22951). Productinfo Type Unified Communication Software Vendor Cisco Name Unity Connection Version 14 14SU1 14SU2 14SU3 14SU3a 14SU4 14SU5 15 15SU1 15SU2 15SU3 15SU4 License commercial Website Vendor: https://www.cisco.com/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.2 VulDB Meta Temp Score: 5.1 VulDB Base Score: 4.3 VulDB Temp Score: 4.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 6.1 CNA Vector (cisco): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Cross site scripting CWE: CWE-79 / CWE-94 / CWE-74 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Timelineinfo 10/08/2025 CVE reserved 04/15/2026 +189 days Advisory disclosed 04/15/2026 +0 days VulDB entry created 04/15/2026 +0 days VulDB entry last update Sourcesinfo Vendor: cisco.com Advisory: cisco-sa-unity-vulns-n2EJSbbw Status: Confirmed CVE: CVE-2026-20059 (🔒) GCVE (CVE): GCVE-0-2026-20059 GCVE (VulDB): GCVE-100-357754 EUVD: 🔒 Entryinfo Created: 04/15/2026 18:30 Updated: 04/15/2026 20:03 Changes: 04/15/2026 18:30 (65), 04/15/2026 20:03 (1) Complete: 🔍 Cache ID: 99:2DE:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸