Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter
AnalysisAI
Reflected cross-site scripting (XSS) in Altenar Sportsbook Software Platform (SB2) v.2.0 allows remote attackers to inject malicious scripts via URL parameters, enabling information disclosure and potential arbitrary code execution when users interact with crafted links. The vulnerability requires user interaction (click a malicious link) but affects all users regardless of authentication status, with EPSS score of 0.06% indicating very low real-world exploitation probability despite the moderate CVSS rating of 6.1. No confirmed active exploitation or public proof-of-concept code availability has been documented.
Technical ContextAI
This is a reflected cross-site scripting vulnerability (CWE-200: Information Exposure Through an Error Message) in a web-based sports betting platform. The vulnerability exists because the SB2 platform fails to properly sanitize or encode user-supplied input from URL parameters before rendering them in HTTP responses. When an attacker crafts a malicious URL containing JavaScript payload and tricks a user into clicking it, the browser executes the injected script in the context of the application, allowing the attacker to access session tokens, authentication cookies, or other sensitive data belonging to the victim user. The reflected nature means the payload must be delivered via a crafted link rather than stored on the server.
RemediationAI
Upgrade Altenar Sportsbook Software Platform (SB2) to a patched version released after the CVE disclosure; consult Altenar's security advisory or contact their support team for exact version numbers and upgrade procedures. As a temporary mitigation, implement a Web Application Firewall (WAF) rule to block requests containing common XSS payloads in URL parameters, restrict access to the SB2 platform via IP whitelisting where feasible, and educate users to avoid clicking suspicious links related to the betting platform. Additional details are available in the GitHub repository referenced (https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-31262).
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21388
GHSA-g636-hw74-5gw3