CVE-2026-20059
Description
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| cisco | unity_connection | {"endIncluding":"12.5"} | |
| cisco | unity_connection | 14.0 | |
| cisco | unity_connection | 14su1 | |
| cisco | unity_connection | 14su2 | |
| cisco | unity_connection | 14su3 | |
| cisco | unity_connection | 14su3a | |
| cisco | unity_connection | 14su4 | |
| cisco | unity_connection | 14su5 | |
| cisco | unity_connection | 15.0 | |
| cisco | unity_connection | 15su1 | |
| cisco | unity_connection | 15su2 | |
| cisco | unity_connection | 15su3 | |
References
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.