Skip to content
CVSS 7.2 · HIGH

CVE-2026-20035

A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device.

View on NVD

Analysis

Cisco Unity Connection Web Inbox is vulnerable to unauthenticated Server-Side Request Forgery (SSRF). This allows a remote attacker to send crafted requests through the server to access internal systems or services that are not directly exposed to the internet.

Severity

Score: 7.2(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: LOW
I: LOW
A: NONE
Weakness (CWE): CWE-918

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device.

Published: 5/6/2026, 5:16:20 PM
Last modified: 5/6/2026, 6:59:53 PM

References

HomeEventsBlogResourcesTeam