Security readout for executives and security teams
Plain-English summary
CVE-2020-26799 is reported as a reflected XSS issue in Luxcal 4.5.2 index.php. An unauthenticated attacker could use it to affect another user’s browser session and potentially steal data. The source bundle rates it critical, but available affected-product metadata is incomplete.
Executive priority
Prioritize this for rapid assessment if Luxcal is used externally. The potential business risk is account or data compromise through browser-side execution, but remediation details are not proven in the provided sources.
Technical view
The CVE describes CWE-79 reflected cross-site scripting in Luxcal 4.5.2 index.php, with CVSS 3.1 score 9.8. The record says no privileges are required and reports high confidentiality, integrity, and availability impact. The affected vendor/product fields are listed as n/a despite the Luxcal version in the description.
Likely exposure
Exposure is most likely where Luxcal 4.5.2 is reachable by untrusted users, especially on public web servers. The bundle does not identify other versions or CPEs, so asset owners must verify installed Luxcal versions directly.
Exploitation context
The source bundle includes a blog and video reference, but KEV is false and no cited source in the bundle establishes active exploitation. Treat exploit availability as unconfirmed from the provided evidence.
Researcher notes
CWE-79 is the relevant weakness. The CVSS vector lists UI:N, which is unusual for reflected XSS; validate behavior against primary references before relying on the score alone. Do not assume affected versions beyond Luxcal 4.5.2 from this bundle.
Mitigation direction
- Inventory Luxcal deployments and identify any 4.5.2 installations.
- Check LuxSoft guidance or downloads for a supported fixed release.
- Prioritize upgrading or applying vendor-supported remediation when confirmed.
- Restrict untrusted access to affected Luxcal instances where business allows.
- Monitor index.php requests for suspicious reflected-input patterns.
Validation and detection
- Confirm whether Luxcal 4.5.2 is installed on any managed hosts.
- Verify whether index.php is publicly reachable or behind access controls.
- Review web logs for unusual index.php parameters or encoded input.
- Check vendor and CVE references for updated affected-version or fix details.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2020-26799 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.8 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
9.8CriticalVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source materials
- CVE List V5 sourceCVE List V5
- https://www.luxsoft.eu/index.php?pge=dloadCVE reference
- https://youtu.be/npw9jcQ1h1UCVE reference
- https://suryadina.com/luxcal-reflected-xss-cve-2020-26799/CVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
