Medium6.1Cisco Updated
Cisco Unity Connection Cross-Site Scripting, Open Redirect, and SQL Injection Vulnerabilities
cisco-sa-unity-vulns-n2EJSbbw Published Apr 15, 2026Updated by vendor Apr 15, 2026
CVE-2026-20059CVE-2026-20060CVE-2026-20061
Affected products & platforms
CiscoUnified Communications
Summary
Multiple vulnerabilities in Cisco Unity Connection could allow a remote attacker to conduct a cross-site scripting (XSS) attack, an open redirect attack, and an SQL injection attack. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities.
Affected versions
- Scope: At the time of publication, these vulnerabilities affected Cisco Unity Connection, regardless of device configuration.
- 12.5 — Migrate to a fixed release
- Release 14 (first fixed: 14SU6 / 14SU5)
- Release 15 (first fixed: 15SU4)
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Fixed versions
- 14SU6 / 14SU5
- 15SU4
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Mitigation checklist
Recommended fix / mitigation
- Upgrade to the first fixed release for your train per the Fixed Releases table in this advisory.
- Release 12.5: migrate to a fixed release.
- Release 14: upgrade to 14SU6 / 14SU5.
- Release 15: upgrade to 15SU4.
Temporary workarounds
- There are no workarounds that address these vulnerabilities.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.