CVE-2020-26574

CRITICAL

Leostream Connection Broker 8.2.x - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-26574. PoCs published by X-C3LL.

AI-analyzed exploit summary This PoC demonstrates a stored XSS vulnerability in Leostream's web interface, leveraging a crafted User-Agent header to inject malicious JavaScript. The exploit chain involves iframe manipulation to navigate the target application and upload a malicious file.

Description

Leostream Connection Broker 8.2.x is affected by stored XSS. An unauthenticated attacker can inject arbitrary JavaScript code via the webquery.pl User-Agent HTTP header. It is rendered by the admins the next time they log in. The JavaScript injected can be used to force the admin to upload a malicious Perl script that will be executed as root via libMisc::browser_client. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Exploits (1)

github WORKING POC 11 stars
by X-C3LL · pythonpoc
https://github.com/X-C3LL/PoC-CVEs/tree/master/CVE-2020-26574

This PoC demonstrates a stored XSS vulnerability in Leostream's web interface, leveraging a crafted User-Agent header to inject malicious JavaScript. The exploit chain involves iframe manipulation to navigate the target application and upload a malicious file.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Leostream (version not specified)
No auth needed
Prerequisites: Access to the Leostream web interface · Victim interaction to trigger the XSS payload
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://adepts.of0x.cc/leostream-xss-to-rce/
Release Notes, Vendor Advisory x_refsource_misc
https://www.leostream.com/resources/product-lifecycle/

Scores

CVSS v3 9.6
EPSS 0.0209
EPSS Percentile 79.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (1)
leostream/connection_broker 8.2.15 - 8.2.73
Published Oct 06, 2020
Tracked Since Feb 18, 2026