Skip to main content

Altenar Sportsbook Software Platform CVE-2026-31262

| EUVDEUVD-2026-21388 MEDIUM
Information Exposure (CWE-200)
2026-04-10 mitre GHSA-g636-hw74-5gw3
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 15:26 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
6.1 (MEDIUM)
EUVD ID Assigned
Apr 10, 2026 - 15:15 euvd
EUVD-2026-21388
CVE Published
Apr 10, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter

AnalysisAI

Reflected cross-site scripting (XSS) in Altenar Sportsbook Software Platform (SB2) v.2.0 allows remote attackers to inject malicious scripts via URL parameters, enabling information disclosure and potential arbitrary code execution when users interact with crafted links. The vulnerability requires user interaction (click a malicious link) but affects all users regardless of authentication status, with EPSS score of 0.06% indicating very low real-world exploitation probability despite the moderate CVSS rating of 6.1. No confirmed active exploitation or public proof-of-concept code availability has been documented.

Technical ContextAI

This is a reflected cross-site scripting vulnerability (CWE-200: Information Exposure Through an Error Message) in a web-based sports betting platform. The vulnerability exists because the SB2 platform fails to properly sanitize or encode user-supplied input from URL parameters before rendering them in HTTP responses. When an attacker crafts a malicious URL containing JavaScript payload and tricks a user into clicking it, the browser executes the injected script in the context of the application, allowing the attacker to access session tokens, authentication cookies, or other sensitive data belonging to the victim user. The reflected nature means the payload must be delivered via a crafted link rather than stored on the server.

RemediationAI

Upgrade Altenar Sportsbook Software Platform (SB2) to a patched version released after the CVE disclosure; consult Altenar's security advisory or contact their support team for exact version numbers and upgrade procedures. As a temporary mitigation, implement a Web Application Firewall (WAF) rule to block requests containing common XSS payloads in URL parameters, restrict access to the SB2 platform via IP whitelisting where feasible, and educate users to avoid clicking suspicious links related to the betting platform. Additional details are available in the GitHub repository referenced (https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-31262).

Share

CVE-2026-31262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy