Cisco Discloses Three Vulnerabilities: SSRF, XSS, and Arbitrary File Load
Cisco Systems disclosed three vulnerabilities on June 3, 2026, affecting Webex Meetings, Unified Communications Manager, and Finesse, with a high-severity SSRF flaw.
Key findings
- Cisco Webex Meetings, Unified Communications Manager, and Finesse affected by new vulnerabilities.
- High-severity SSRF flaw (CVE-2026-20230) impacts Cisco Unified Communications Manager.
- Medium-severity XSS vulnerability (CVE-2026-20233) disclosed for Cisco Webex Meetings.
- Arbitrary file load vulnerability (CVE-2026-20175) affects Cisco Finesse.
- Webex Meetings vulnerability patched; other products may require updates.
Cisco Systems has addressed three distinct vulnerabilities disclosed on June 3, 2026, impacting several of its key communication and collaboration products. The disclosures include a high-severity server-side request forgery (SSRF) flaw in Cisco Unified Communications Manager, a medium-severity cross-site scripting (XSS) vulnerability in Cisco Webex Meetings, and a medium-severity arbitrary file load vulnerability in Cisco Finesse.
The most critical of these is CVE-2026-20230, a server-side request forgery vulnerability affecting Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This flaw, rated High with a CVSSv3 score of 8.6, could permit an unauthenticated, remote attacker to execute SSRF attacks through an affected device. The vulnerability stems from insufficient validation of user-supplied input.
Separately, CVE-2026-20233, a medium-severity (CVSSv3 6.1) cross-site scripting (XSS) vulnerability, was identified in the web-based user interface of Cisco Webex Meetings. This vulnerability could enable an unauthenticated, remote attacker to inject malicious scripts into web pages viewed by other users. Cisco has stated that this vulnerability has been addressed within the Webex Meetings service itself, and no customer action is required.
Rounding out the disclosures is CVE-2026-20175, another medium-severity (CVSSv3 6.1) vulnerability impacting Cisco Finesse. This flaw allows an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session. This could potentially lead to various browser-based attacks due to insufficient validation of user-supplied input for HTTP requests.
Cisco has indicated that for CVE-2026-20230 and CVE-2026-20175, the vulnerabilities are due to insufficient validation of user-supplied input. While the Webex Meetings vulnerability (CVE-2026-20233) has been patched by Cisco's service, details on specific patches or version updates for the Unified CM and Finesse vulnerabilities were not immediately available in the initial advisories, suggesting that customers may need to apply software updates or consult specific Cisco security advisories for remediation steps.
Users of Cisco Unified Communications Manager, Cisco Webex Meetings, and Cisco Finesse should review Cisco's security advisories for the latest information on affected versions and remediation guidance. The simultaneous disclosure of these vulnerabilities highlights the ongoing need for vigilance in securing communication platforms.