CVE-2026-7165
Received Received - Intake
Stored XSS and Privilege Escalation in Game Management System

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
The vulnerability is present in the ‘/addJugador’ endpoint: * The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information. * The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores. * In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges. * Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable. * The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-7165
EUVD
EUVD-2026-38235
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gaudire assassin_game *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7165 is a critical vulnerability in the '/addJugador' endpoint of the Assassin game by Gaudire.

  • The 'keyJugador' and 'keyJugadorObjectiu' parameters allow an authenticated attacker to modify other users' information without authorization.
  • The 'punts' and 'numObjectiusEliminats' fields lack proper input validation, enabling falsification of game scores to obtain prizes.
  • The 'tokens' field allows self-assignment of administrative privileges without server validation, leading to privilege escalation.
  • Numeric fields accept extremely long values, which can crash the system and cause denial-of-service (DoS).
  • The 'urlImatge' parameter permits server-side requests to arbitrary URLs, exposing internal IPs, internal services, local files, and unauthorized third-party API interactions.

Overall, this vulnerability allows attackers to alter user data, escalate privileges, falsify scores, cause system crashes, and access sensitive internal information.

Impact Analysis

This vulnerability can have severe impacts including:

  • Unauthorized modification of user information, compromising data integrity.
  • Falsification of game scores to illegitimately obtain prizes awarded by city councils.
  • Privilege escalation by self-assigning administrative rights, potentially leading to full system control.
  • Denial-of-service attacks by crashing the system with excessively long numeric inputs, disrupting game availability.
  • Exposure of sensitive data through server-side requests to arbitrary URLs, including internal IP addresses and files.
Detection Guidance

Detection of this vulnerability involves monitoring and testing the '/addJugador' endpoint for unauthorized modifications and improper input handling.

  • Check if the 'keyJugador' and 'keyJugadorObjectiu' parameters allow modification of other users' information without authorization.
  • Test the 'punts' and 'numObjectiusEliminats' fields by submitting arbitrary or malformed data to see if input validation is enforced.
  • Attempt to assign administrative privileges via the 'tokens' field without proper authentication.
  • Submit extremely long numeric values to numeric fields to check for system crashes or denial-of-service conditions.
  • Use the 'urlImatge' parameter to send server-side requests to arbitrary URLs and observe if internal IP addresses or local files can be accessed.

Specific commands are not provided in the available resources.

Mitigation Strategies

There is no reported solution or patch available at this time to mitigate the vulnerability.

Immediate mitigation steps would typically include restricting access to the '/addJugador' endpoint to trusted users only and monitoring for suspicious activity.

Implementing additional authorization checks and input validation on the server side is recommended once a fix is available.

Compliance Impact

This vulnerability allows unauthorized modification of user information, privilege escalation, and unauthorized access to sensitive data. Such issues can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal data access, integrity, and confidentiality.

Specifically, the ability to alter user IDs and information without authorization, self-assign administrative privileges, and access internal services and sensitive data could result in non-compliance with requirements for user consent, data integrity, and access controls mandated by these standards.

Additionally, the potential for denial-of-service attacks could impact availability requirements under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart