Skip to main content

Revive Adserver EUVDEUVD-2026-39603

| CVE-2026-50742 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 hackerone GHSA-q7h4-cw8q-5rmq
5.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (hackerone) PRIMARY
MEDIUM
qualitative
NVD
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
4.4 MEDIUM

PR:L confirmed by requirement for authenticated low-privilege access; AC:H reflects attacker's incomplete control over payload trigger; S:C applies as XSS crosses into admin session context.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
CVSS changed
Jun 29, 2026 - 20:22 NVD
4.4 (MEDIUM) 5.4 (MEDIUM)
Analysis Generated
Jun 26, 2026 - 01:46 vuln.today

DescriptionNVD

A stored XSS vulnerabilities exists in the maintenance-acl-check.php and maintenance-banners-check.php tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without proper escaping when inconsistencies were detected. Whether the XSS payload is executed when an administrator uses the affected maintenance tools is not entirely under the attacker's control.

AnalysisAI

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent XSS payloads via entity names that render unescaped within the maintenance-acl-check.php and maintenance-banners-check.php tools. When an administrator later runs these maintenance utilities and inconsistencies are detected, the malicious payload executes in the admin's browser context, potentially enabling session hijacking or unauthorized administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate with low-privilege account
Delivery
Inject XSS payload into entity name
Exploit
Payload persists server-side
Install
Admin runs maintenance-acl-check.php or maintenance-banners-check.php
C2
Inconsistency detected, tainted name rendered unescaped
Execute
XSS executes in admin browser session
Impact
Steal admin session or perform privileged actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a low-privilege authenticated account on the Revive Adserver instance with sufficient permissions to create or modify entity names (ACL zones or banners) that are later evaluated by the maintenance scripts. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 score of 4.4 (Medium) accurately reflects the constrained exploitability: AC:H captures the attacker's incomplete control over payload firing, PR:L requires the attacker to hold authenticated low-privilege access, and UI:R mandates that an administrator actively use the affected maintenance tools. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege Revive Adserver account creates or renames an ACL zone or banner entity with a name containing a JavaScript payload (e.g., an event handler or script tag). No public proof-of-concept code has been identified, but the attack requires no special tooling beyond a standard browser. …
Remediation No specific patched version is confirmed in the available data - the single reference points to a HackerOne report (https://hackerone.com/reports/3781311), and no vendor advisory with an explicit fix version was provided. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-39603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy