Low severity3.5NVD Advisory· Published Mar 12, 2026· Updated Apr 29, 2026

CVE-2026-3984

Description

A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file save_up_athlete.php. This manipulation of the argument a_name causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1 has a stored XSS vulnerability in save_up_athlete.php via the a_name parameter.

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in Campcodes Division Regional Athletic Meet Game Result Matrix System version 2.1. The flaw resides in the save_up_athlete.php file, where the `a_name parameter is not properly sanitized before being stored and later rendered in the application. This allows an attacker to inject arbitrary HTML or JavaScript code that will be executed in the context of other users' browsers when they view the affected athlete's profile [2].

ExploitationThe vulnerability can be triggered remotely without authentication, as the application fails to validate or encode user-supplied input in the `a_name` field. A proof-of-concept payload such as `test` demonstrates that the injected script is stored and executed upon page reload [2].

ImpactAn attacker can exploit this stored

XSS to execute arbitrary script code in the browsers of other users, potentially leading to session hijacking, data theft, or defacement of the application. The CVSS v3 base score is 3.5 (Low), reflecting the need for user interaction to trigger the attacker does not gain direct control over the server [1].

MitigationThe vendor, Campcodes, has not released a patch as of the publication date. Users should apply input validation and output encoding to the `a_name` parameter, or consider disabling the affected functionality or upgrading to a newer version if available [1][2].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Campcodes/Division Regional Athletic Meet Game Result Matrix Systemllm-fuzzy
Range: 2.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Vulnerability

ExploitationThe vulnerability can be triggered remotely without authentication, as the application fails to validate or encode user-supplied input in the a_name field. A proof-of-concept payload such as test demonstrates that the injected script is stored and executed upon page reload [2].

ImpactAn attacker can exploit this stored

MitigationThe vendor, Campcodes, has not released a patch as of the publication date. Users should apply input validation and output encoding to the a_name parameter, or consider disabling the affected functionality or upgrading to a newer version if available [1][2].

ExploitationThe vulnerability can be triggered remotely without authentication, as the application fails to validate or encode user-supplied input in the `a_name` field. A proof-of-concept payload such as `test` demonstrates that the injected script is stored and executed upon page reload [2].

MitigationThe vendor, Campcodes, has not released a patch as of the publication date. Users should apply input validation and output encoding to the `a_name` parameter, or consider disabling the affected functionality or upgrading to a newer version if available [1][2].