{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31262", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T14:12:27.998Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-10T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T14:35:33.823Z"}, "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS"}, {"url": "https://github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_Platform_SB2/ORtoXSS/ORtoXSS.txt"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:10:22.057073Z", "id": "CVE-2026-31262", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:12:27.998Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31262", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:10:22.057073Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:12:21.869Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS"}, {"url": "https://github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_Platform_SB2/ORtoXSS/ORtoXSS.txt"}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T14:35:33.823Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31262", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:12:27.998Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-10T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:altenar:sportsbook:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "A3794B87-BA93-4197-AEB0-E0DB9AC56B38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter"}], "id": "CVE-2026-31262", "lastModified": "2026-04-16T20:17:52.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-10T15:16:23.607", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_Platform_SB2/ORtoXSS/ORtoXSS.txt"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "sportsbook_software_platform", "vendor": "altenar"}], "analysis": {"en": {"generated_at": "2026-04-16T09:13:37.179884+00:00", "value": {"mitigation_remediation": ["Sanitize or encode all user\u2011controlled URL parameters before rendering them to the browser; use a trusted library that escapes HTML and script contexts.", "Deploy a Content Security Policy that disallows inline scripts or limits script sources to trusted domains, thereby mitigating the impact of reflected XSS.", "Configure a web application firewall or custom rule set to block or cleanse malicious script payloads found in query strings, and restrict the vulnerable endpoint to authenticated users only.", "Monitor web traffic and application logs for attempts to inject unexpected scripts into URL parameters, and set up automated alerts for anomalous requests."], "summary": {"action": "Apply Controls", "impact": "Information Disclosure via XSS"}, "threat_synthesis": {"affected_systems": "Altenar Sportsbook Software Platform (SB2) v.2.0 is the only product referenced. Any deployment that serves the vulnerable endpoint from this version and exposes the reflected URL parameter is affected; no other vendors or product variations are listed.", "description_and_impact": "Cross\u2011Site Scripting vulnerability in Altenar Sportsbook Software Platform version\u202f2.0 lets an attacker embed malicious JavaScript into a URL parameter. When a user clicks the crafted link, the script executes in the victim\u2019s browser under the application\u2019s context, allowing the attacker to read sensitive page data or session information. The flaw aligns with information disclosure (CWE\u2011200) because the injected code can access and transmit confidential information, yet it does not grant server\u2011side code execution or system control.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, while the EPSS value of less than 1\u202f% suggests low real\u2011world exploitation. The vulnerability is not present in the CISA KEV catalog. The attack originates remotely from an unauthenticated user who injects a specialized URL; successful exploitation leads to arbitrary JavaScript execution in the victim\u2019s browser, enabling data theft or session hijacking but not providing server\u2011side control."}}}}, "created": "2026-04-13T12:51:45.330220+00:00", "title": "Information Disclosure via XSS in Altenar Sportsbook Platform 2.0 URL Parameter", "updated": "2026-04-16T09:15:30.992644+00:00", "vendors": ["altenar", "altenar$PRODUCT$sportsbook_software_platform"]}