CVE-2020-26799
Published: 21 July 2025
Summary
CVE-2020-26799 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Suryadina (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2020-26799 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the index.php file in Luxcal version 4.5.2. Published on 2025-07-21, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for high impacts on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. Successful exploitation allows them to steal other users' data by injecting and reflecting malicious scripts through the affected endpoint.
Advisories and patches for mitigation are detailed in references including the vulnerability disclosure at https://suryadina.com/luxcal-reflected-xss-cve-2020-26799/, the Luxcal download page at https://www.luxsoft.eu/index.php?pge=dload, and a demonstration video at https://youtu.be/npw9jcQ1h1U.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-19335
Vulnerability details
A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker to steal other users' data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing web app (index.php) directly enables remote exploitation of the application without auth or interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the specific reflected XSS flaw in Luxcal 4.5.2 index.php by requiring timely identification, reporting, and patching of the vulnerability.
Prevents execution of reflected malicious scripts by filtering information outputs from the vulnerable index.php endpoint.
Blocks injection of malicious scripts by validating all user inputs to the index.php file before processing.