CVE-2026-3983

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in Campcodes Division Regional Athletic Meet Game Result Matrix System version 2.1. The flaw resides in the save-games.php file, where the game_name parameter is not properly sanitized before being stored and later rendered in the application [2]. This allows an attacker to inject arbitrary HTML or JavaScript code that will be executed in the context of other users' browsers when they view the affected page.

Exploitation

The attack can be performed remotely without requiring authentication, as the vulnerable parameter is user-controllable. A proof-of-concept payload such as test demonstrates that unsanitized input is stored and executed upon page reload [2]. The exploit has been publicly released, increasing the risk of real-world attacks [1].

Impact

Successful exploitation enables an attacker to execute arbitrary script code in the browsers of users who access the stored data. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The CVSS v3 base score of 3.5 reflects the low severity due to the need for user interaction and the limited scope of impact, but the public availability of exploit code raises the practical risk.

Mitigation

As of the publication date, no official patch has been released by Campcodes. Users are advised to implement input validation and output encoding for the game_name parameter, or to disable the vulnerable functionality until a fix is available. The vendor's website provides the source code, allowing developers to apply their own sanitization [1][2].