Cisco Unity Connection SQL Injection Vulnerability

CVE	CVE-2026-20061
State	PUBLISHED
Assigner	cisco
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-15 17:17:01 UTC
Updated	2026-04-28 16:30:48 UTC
Description	A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device.

Primary CVSS: v3.1 6.5 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS: 0.000300000 probability, percentile 0.086470000 (date 2026-04-21)

Problem Types: CWE-89 | CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	6.5	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
3.1	[email protected]	Secondary	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N`
3.1	CNA	CVSSV3_1	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Type	Vendor	Product	Version	Update	Edition	Language
Application	Cisco	Unity Connection	14.0	All	All	All
Application	Cisco	Unity Connection	14su1	All	All	All
Application	Cisco	Unity Connection	14su2	All	All	All
Application	Cisco	Unity Connection	14su3	All	All	All
Application	Cisco	Unity Connection	14su3a	All	All	All
Application	Cisco	Unity Connection	14su4	All	All	All
Application	Cisco	Unity Connection	14su5	All	All	All
Application	Cisco	Unity Connection	15.0	All	All	All
Application	Cisco	Unity Connection	15su1	All	All	All
Application	Cisco	Unity Connection	15su2	All	All	All
Application	Cisco	Unity Connection	15su3	All	All	All
Application	Cisco	Unity Connection	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Cisco	Cisco Unity Connection	affected 14	Not specified
CNA	Cisco	Cisco Unity Connection	affected 14SU1	Not specified
CNA	Cisco	Cisco Unity Connection	affected 14SU2	Not specified
CNA	Cisco	Cisco Unity Connection	affected 14SU3	Not specified
CNA	Cisco	Cisco Unity Connection	affected 14SU3a	Not specified
CNA	Cisco	Cisco Unity Connection	affected 15	Not specified
CNA	Cisco	Cisco Unity Connection	affected 15SU1	Not specified
CNA	Cisco	Cisco Unity Connection	affected 14SU4	Not specified
CNA	Cisco	Cisco Unity Connection	affected 15SU2	Not specified
CNA	Cisco	Cisco Unity Connection	affected 15SU3	Not specified
CNA	Cisco	Cisco Unity Connection	affected 14SU5	Not specified

Reference	Source	Link	Tags
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-...	[email protected]	sec.cloudapps.cisco.com	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

CNA: The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

There are currently no legacy QID mappings associated with this CVE.