CVE-2026-20224 HIGH

CVE-2026-20224: Cisco Catalyst SD-WAN Manager XML External Entity Injection Vulnerability

Vendor Cisco
Product Cisco Catalyst SD-WAN Manager
Weakness CWE-20 · Input validation
Published May 14, 2026
Last update May 14, 2026
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to read arbitrary files that are stored in an affected system. The attacker does not need to have valid user credentials. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to read arbitrary files that are stored in the affected system.

Key dates

02Disclosure timeline

May 14, 2026 CVE published
May 14, 2026 Record updated