Skip to main content

Revive Adserver CVE-2026-50741

| EUVDEUVD-2026-39602 HIGH
Code Injection (CWE-94)
2026-06-26 hackerone GHSA-66rh-2cvm-487w
8.8
CVSS 3.0 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable code injection needs only a low-privilege account (PR:L) and no interaction; arbitrary code execution yields full C/I/A impact with low complexity.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 01:44 vuln.today

DescriptionCVE.org

Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed either by sending a disallowed but otherwise valid plugin identifier as type, or using the ox.setChannelTargeting XML-RPC API method.

AnalysisAI

Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for CVE-2026-34916, either by supplying a disallowed-but-valid plugin identifier in the type parameter or by abusing the ox.setChannelTargeting XML-RPC API method. The flaw lets an attacker inject and execute arbitrary code (CWE-94) on the server, fully compromising confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Submit disallowed-but-valid plugin `type` or call ox.setChannelTargeting XML-RPC
Exploit
Bypass CVE-2026-34916 allowlist
Execution
Inject code into plugin loader
Persist
Execute arbitrary code on server
Impact
Full host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated low-privilege account (CVSS PR:L) and network reachability to the Revive Adserver application; no user interaction is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8) describes a network-reachable, low-complexity attack that requires only low-privilege authentication and no user interaction, with full triple-impact - a genuinely high-priority profile for any internet-exposed instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privilege Revive Adserver account sends a crafted request specifying a disallowed-but-valid plugin identifier as the `type` value, or invokes the `ox.setChannelTargeting` XML-RPC method, slipping past the incomplete CVE-2026-34916 filter to load attacker-influenced code. The server executes the injected code, giving the attacker full control of the host. …
Remediation No vendor-released patch version is identified in the available data, so a specific upgrade target cannot be cited; monitor the official Revive Adserver security advisories and the linked HackerOne reports (https://hackerone.com/reports/3780854, https://hackerone.com/reports/3781492) and apply the corrected fix as soon as it is published, since this CVE demonstrates the earlier CVE-2026-34916 fix is incomplete. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Revive Adserver instances in your infrastructure and assess active user privilege levels; disable XML-RPC API access if not operationally required; restrict administrative UI access to named, authorized personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-26756 HIGH POC
7.5 Apr 14

The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vuln

CVE-2026-44959 HIGH
8.8 Jun 23

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpec

CVE-2026-34914 HIGH
8.3 Jun 23

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary S

CVE-2026-50745 MEDIUM
6.1 Jun 26

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary J

CVE-2026-34915 MEDIUM
6.1 Jun 23

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate databa

CVE-2026-50740 MEDIUM
5.4 Jun 26

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the

CVE-2026-50742 MEDIUM
5.4 Jun 26

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent

CVE-2026-44958 MEDIUM
5.4 Jun 23

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or

CVE-2026-34917 MEDIUM
4.3 Jun 23

Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID ag

CVE-2026-50744 MEDIUM
4.3 Jun 26

Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to by

CVE-2026-50739 MEDIUM
4.3 Jun 26

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link thei

CVE-2026-34913 MEDIUM
4.3 Jun 23

Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their o

Share

CVE-2026-50741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy