LiveActive security incident?Get immediate response
CVE Record

CVE-2020-26799: A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allo...

A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker to steal other users' data.

CriticalCVSS 9.8Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

CVE-2020-26799 is reported as a reflected XSS issue in Luxcal 4.5.2 index.php. An unauthenticated attacker could use it to affect another user’s browser session and potentially steal data. The source bundle rates it critical, but available affected-product metadata is incomplete.

Executive priority

Prioritize this for rapid assessment if Luxcal is used externally. The potential business risk is account or data compromise through browser-side execution, but remediation details are not proven in the provided sources.

Technical view

The CVE describes CWE-79 reflected cross-site scripting in Luxcal 4.5.2 index.php, with CVSS 3.1 score 9.8. The record says no privileges are required and reports high confidentiality, integrity, and availability impact. The affected vendor/product fields are listed as n/a despite the Luxcal version in the description.

Likely exposure

Exposure is most likely where Luxcal 4.5.2 is reachable by untrusted users, especially on public web servers. The bundle does not identify other versions or CPEs, so asset owners must verify installed Luxcal versions directly.

Exploitation context

The source bundle includes a blog and video reference, but KEV is false and no cited source in the bundle establishes active exploitation. Treat exploit availability as unconfirmed from the provided evidence.

Researcher notes

CWE-79 is the relevant weakness. The CVSS vector lists UI:N, which is unusual for reflected XSS; validate behavior against primary references before relying on the score alone. Do not assume affected versions beyond Luxcal 4.5.2 from this bundle.

Mitigation direction

  • Inventory Luxcal deployments and identify any 4.5.2 installations.
  • Check LuxSoft guidance or downloads for a supported fixed release.
  • Prioritize upgrading or applying vendor-supported remediation when confirmed.
  • Restrict untrusted access to affected Luxcal instances where business allows.
  • Monitor index.php requests for suspicious reflected-input patterns.

Validation and detection

  • Confirm whether Luxcal 4.5.2 is installed on any managed hosts.
  • Verify whether index.php is publicly reachable or behind access controls.
  • Review web logs for unusual index.php parameters or encoded input.
  • Check vendor and CVE references for updated affected-version or fix details.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-79: User-session and phishing behavior lookup

Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-26799 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

9.8Critical
CVSS 3.1 vector shape for CVE-2020-26799Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-79 · source CWE mapping

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.