Improper Neutralization of Special Elements in Output Used by a Downstream Component in Crosswork Network Controller - CVE-2026-20220
Published: June 17, 2026
Vulnerability identifier: #VU134762
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-20220
CWE-ID: CWE-74
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Crosswork Network Controller
Crosswork Network Controller
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to insufficient input validation in the configuration template engine of the web-based management interface when handling crafted requests. A remote user can send a crafted request to execute arbitrary commands.
Command execution is limited to areas of the underlying operating system file system for which the template user has write permissions. Template users with read permissions cannot exploit this vulnerability.
How to mitigate CVE-2026-20220
Install security update from vendor's website.