Skip to main content

Revive Adserver EUVDEUVD-2026-39600

| CVE-2026-50744 MEDIUM
Improper Access Control (CWE-284)
2026-06-26 hackerone GHSA-q5xg-wh3x-vmcf
4.3
CVSS 3.0 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.4 MEDIUM

Network-reachable API with PR:L (account required); bypassing admin restriction enables both read and write admin API actions, warranting I:L over the vendor's I:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 01:45 vuln.today

DescriptionCVE.org

A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions.

AnalysisAI

Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to bypass the admin-only restriction on that API. The ox.login method issues a valid session cookie in HTTP response headers before completing credential validation; when authentication fails, the error is returned to the caller but the underlying server-side session is never torn down. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Send ox.login request with arbitrary admin credentials
Exploit
Capture session cookie from HTTP response headers despite error body
Execution
Replay leaked session token in subsequent XML-RPC requests
Impact
Invoke admin-restricted API methods without admin credentials

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid low-privilege account on the Revive Adserver instance (consistent with CVSS PR:L) to issue an authenticated HTTP request to the XML-RPC endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.0 score of 4.3 (Medium) with C:L/I:N/A:N likely underestimates realistic impact: bypassing an admin-only API gate plausibly enables both read and write operations on advertising campaigns, user data, and platform configuration, suggesting I:L at minimum. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privileged Revive Adserver user sends an ox.login XML-RPC request containing admin credentials they do not possess; the server returns an authentication-failure error but also sets a live session cookie in the HTTP response headers. The attacker extracts that Set-Cookie value, discards the error, and includes the session token in subsequent XML-RPC API calls to invoke admin-restricted methods - such as modifying ad campaigns or retrieving account data - without ever possessing the admin password. …
Remediation Consult the HackerOne disclosure at https://hackerone.com/reports/3783738 for patch availability - no vendor-released fixed version has been independently confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-26756 HIGH POC
7.5 Apr 14

The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vuln

CVE-2026-50741 HIGH
8.8 Jun 26

Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for

CVE-2026-44959 HIGH
8.8 Jun 23

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpec

CVE-2026-34914 HIGH
8.3 Jun 23

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary S

CVE-2026-50745 MEDIUM
6.1 Jun 26

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary J

CVE-2026-34915 MEDIUM
6.1 Jun 23

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate databa

CVE-2026-50740 MEDIUM
5.4 Jun 26

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the

CVE-2026-50742 MEDIUM
5.4 Jun 26

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent

CVE-2026-44958 MEDIUM
5.4 Jun 23

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or

CVE-2026-34917 MEDIUM
4.3 Jun 23

Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID ag

CVE-2026-50739 MEDIUM
4.3 Jun 26

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link thei

CVE-2026-34913 MEDIUM
4.3 Jun 23

Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their o

Share

EUVD-2026-39600 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy