External Control of File Name or Path in Cisco Finesse - CVE-2026-20175
Published: June 4, 2026
Vulnerability identifier: #VU133307
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-20175
CWE-ID: CWE-73
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Finesse
Cisco Finesse
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary script code in the context of the affected interface or disclose sensitive information.
The vulnerability exists due to external control of file name or path in HTTP request handling in Cisco Finesse when processing user-supplied input in crafted links sent to an affected device. A remote attacker can persuade a user to click a crafted link containing the affected device address to execute arbitrary script code in the context of the affected interface or disclose sensitive information.
User interaction is required to click a crafted link.
How to mitigate CVE-2026-20175
Install security update from vendor's website.