Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable code injection needs only a low-privilege account (PR:L) and no interaction; arbitrary code execution yields full C/I/A impact with low complexity.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed either by sending a disallowed but otherwise valid plugin identifier as type, or using the ox.setChannelTargeting XML-RPC API method.
AnalysisAI
Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for CVE-2026-34916, either by supplying a disallowed-but-valid plugin identifier in the type parameter or by abusing the ox.setChannelTargeting XML-RPC API method. The flaw lets an attacker inject and execute arbitrary code (CWE-94) on the server, fully compromising confidentiality, integrity, and availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated low-privilege account (CVSS PR:L) and network reachability to the Revive Adserver application; no user interaction is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8) describes a network-reachable, low-complexity attack that requires only low-privilege authentication and no user interaction, with full triple-impact - a genuinely high-priority profile for any internet-exposed instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any low-privilege Revive Adserver account sends a crafted request specifying a disallowed-but-valid plugin identifier as the `type` value, or invokes the `ox.setChannelTargeting` XML-RPC method, slipping past the incomplete CVE-2026-34916 filter to load attacker-influenced code. The server executes the injected code, giving the attacker full control of the host. … |
| Remediation | No vendor-released patch version is identified in the available data, so a specific upgrade target cannot be cited; monitor the official Revive Adserver security advisories and the linked HackerOne reports (https://hackerone.com/reports/3780854, https://hackerone.com/reports/3781492) and apply the corrected fix as soon as it is published, since this CVE demonstrates the earlier CVE-2026-34916 fix is incomplete. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Revive Adserver instances in your infrastructure and assess active user privilege levels; disable XML-RPC API access if not operationally required; restrict administrative UI access to named, authorized personnel only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vuln
Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpec
Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary S
Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary J
Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate databa
Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the
Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent
Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or
Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID ag
Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to by
Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link thei
Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their o
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39602
GHSA-66rh-2cvm-487w