XML External Entity Exposure in Cisco Catalyst SD-WAN Manager
CVE-2026-20224

8.6HIGH

Key Information:

Vendor: Cisco
Status: Cisco Catalyst Sd-wan Manager
Vendor: CVE Published:; 14 May 2026

Badges

👾 Exploit Exists

What is CVE-2026-20224?

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager could enable a remote, unauthenticated attacker to read arbitrary files on the affected system. This issue arises from inadequate handling of XML External Entities (XXE) during XML file parsing. An attacker can exploit this flaw by sending a specially crafted request, successfully allowing them to access sensitive files stored within the affected system. This vulnerability poses a significant risk, as it does not require valid user credentials and can lead to unauthorized data exposure.

Affected Version(s)

Cisco Catalyst SD-WAN Manager 20.1.12

Cisco Catalyst SD-WAN Manager 19.2.1

Cisco Catalyst SD-WAN Manager 18.4.4

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
May 14, 2026
Vulnerability published
May 14, 2026
Vulnerability Reserved
Oct 8, 2025

CVE-2026-20224 Data

JSON