Skip to main content

Adserver

18 CVEs product

Monthly

CVE-2026-50745 MEDIUM This Month

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary JavaScript into victim browsers by delivering a crafted URL. The Smarty template engine's custom `url` helper function emits attacker-controlled values without HTML encoding or sanitization, and the URL construction pattern for this endpoint exposes user input directly in rendered output. No active exploitation has been confirmed (not in CISA KEV), but the vulnerability is reachable without authentication and requires only victim interaction with a malicious link.

XSS PHP Adserver
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-50740 MEDIUM This Month

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the `refresh` parameter in the zone-include.php iFrame invocation script. The CVSS scope change (S:C) indicates that attacker-controlled script executes in the victim's browser security context, enabling session hijacking, credential theft, or malicious redirects against targeted users who click a crafted URL. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity makes this straightforward for any attacker with XSS capability.

XSS PHP Adserver
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-50742 MEDIUM This Month

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent XSS payloads via entity names that render unescaped within the maintenance-acl-check.php and maintenance-banners-check.php tools. When an administrator later runs these maintenance utilities and inconsistencies are detected, the malicious payload executes in the admin's browser context, potentially enabling session hijacking or unauthorized administrative actions. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the AC:H vector reflects that payload execution is partially outside attacker control, contingent on admin use of the specific maintenance tools.

XSS PHP Adserver
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-50741 HIGH This Week

Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for CVE-2026-34916, either by supplying a disallowed-but-valid plugin identifier in the `type` parameter or by abusing the `ox.setChannelTargeting` XML-RPC API method. The flaw lets an attacker inject and execute arbitrary code (CWE-94) on the server, fully compromising confidentiality, integrity, and availability. Reported via HackerOne by multiple researchers (including phucrio and offsetmd); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Adserver
NVD
CVSS 3.0
8.8
EPSS
0.3%
CVE-2026-50739 MEDIUM This Month

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link their own trackers to campaigns belonging to other managers on the same instance via the `tracker-campaigns.php` script. This is a bypass of the fix introduced for CVE-2026-34913, which applied ownership checks only to the forward linking operation but omitted the reverse direction. The impact is confined to integrity - specifically, creation of inconsistent cross-manager ownership relationships - with no confidentiality or availability consequences. No public exploit identified at time of analysis.

Authentication Bypass PHP Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-50744 MEDIUM This Month

Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to bypass the admin-only restriction on that API. The ox.login method issues a valid session cookie in HTTP response headers before completing credential validation; when authentication fails, the error is returned to the caller but the underlying server-side session is never torn down. A threat actor who captures that leaked cookie can then replay it to invoke otherwise admin-restricted XML-RPC methods without possessing admin credentials. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-34913 MEDIUM This Month

Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their own trackers to advertising campaigns owned by other managers on the same instance via campaign-trackers.php. The flaw enables unauthorized manipulation of campaign-tracker ownership relationships, corrupting attribution data and potentially introducing unauthorized tracking into other managers' campaigns. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-34917 MEDIUM This Month

Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID against the XML-RPC API, which is normally restricted to admin-level users. This authentication bypass (CWE-287) grants unauthorized API access, enabling the attacker to chain this foothold with additional API-level vulnerabilities to escalate impact beyond the base CVSS score suggests. No public exploit code and no CISA KEV listing have been identified at time of analysis; the issue was disclosed via HackerOne and a fix was implemented by recording session context alongside session data.

Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.3%
CVE-2026-44956 NONE Awaiting Data

Stored XSS in Revive Adserver allows a low-privileged user to inject malicious JavaScript through their Full Name field, which propagates via system-generated emails into the userlog table and executes in an administrator's browser when viewing userlog-details.php. The attack crosses privilege boundaries - a standard user account becomes a vector for admin-context script execution, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis; a fix adding proper output escaping has been confirmed via HackerOne report #3669623.

XSS PHP Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-34914 HIGH This Week

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary SQL through the clientid parameter of zone-include.php due to missing input sanitisation. The flaw, rated CVSS 8.3 with PR:L, enables attackers with any valid account to exfiltrate or tamper with ad-server data; no public exploit identified at time of analysis, though a HackerOne report describing the issue is publicly referenced.

SQLi PHP Adserver
NVD
CVSS 3.0
8.3
EPSS
0.3%
CVE-2026-44958 MEDIUM This Month

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or deactivate banner ads regardless of whether those permissions were explicitly granted. The banner-edit.php script evaluated banner status changes based solely on banner edit permissions, treating status modification as implicitly authorized whenever edit access existed. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it straightforward for any credentialed advertiser to abuse.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2026-44961 NONE Awaiting Data

Revive Adserver's XML-RPC API addUser method contains a validation bypass regression introduced by the patch for CVE-2025-55129, allowing authenticated API users to register usernames containing malicious payloads that enable impersonation of other accounts or deliver stored cross-site scripting attacks against administrative users. Reported via HackerOne (report #3680090), this vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis. The provided CVSS vector is a null placeholder with all impact metrics rated N, which directly contradicts the described integrity and confidentiality impacts of stored XSS and account impersonation, and must not be used for risk prioritization.

XSS Authentication Bypass Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-44960 NONE Awaiting Data

Stored XSS in Revive Adserver allows arbitrary JavaScript execution in an administrator's browser by embedding payloads in usernames that are later rendered unsanitized in the audit log details view. The attack persists in the platform's audit trail and fires when any admin reviews the affected log entries - a routine administrative activity, not a rare or unusual trigger. No public exploit has been identified at time of analysis, but the vendor has confirmed a fix by adding proper HTML output escaping to the audit log details rendering path.

XSS Adserver
NVD VulDB
EPSS
0.3%
CVE-2026-44957 MEDIUM This Month

Missing access control on XML-RPC API modify methods in Revive Adserver 6.0.6 and earlier permits authenticated low-privileged users to reassign entities to arbitrary parent entities, corrupting ownership relationships across campaigns, zones, or banners. This flaw is not independently exploitable - it requires chaining with CVE-2026-34917 or the presence of third-party API extensions that expose modify methods to low-privileged users, materially narrowing real-world risk. A vendor fix adding parent-entity access validation has been issued; no public exploit has been identified at time of analysis.

Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-34912 MEDIUM This Month

Revive Adserver 6.0.6 and earlier fails to enforce ownership validation when linking banners or campaigns to ad zones via the zone-include.php script or the platform API, allowing any authenticated low-privileged user to associate their zones with advertising assets owned by other managers on the same installation. This breaks the intended multi-tenant ownership isolation, producing inconsistent cross-account zone-to-banner and zone-to-campaign relationships that disrupt legitimate advertiser operations. No public exploit has been identified and there is no CISA KEV listing; however, the low attack complexity and network accessibility via both the web interface and API make exploitation straightforward for any authenticated platform user.

PHP Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-44959 HIGH This Week

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpected parameter into the delivery limitations save flow, planting attacker-controlled PHP into the compiledlimitations field that is then evaluated when banners are served. With CVSS 8.8 and a CWE-94 root cause, successful exploitation yields full code execution under the web/ad-delivery process, though there is no public exploit identified at time of analysis and the vulnerability is not in CISA KEV.

PHP RCE Code Injection Adserver
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2026-34915 MEDIUM This Month

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate database contents via the unsanitized clientid parameter in zone-include.php. The vulnerability is compounded by a concurrent input validation failure that also enables cross-site scripting, reflected in the CWE-79 assignment and CVSS scope-change vector - suggesting the zone-include.php endpoint contains at least two distinct injection classes. No public exploit has been identified at time of analysis, and a fix is available in versions beyond 6.0.6 per the vendor advisory on HackerOne.

SQLi XSS PHP Adserver
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2023-26756 HIGH POC This Week

The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Adserver
NVD
CVSS 3.1
7.5
EPSS
1.2%
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary JavaScript into victim browsers by delivering a crafted URL. The Smarty template engine's custom `url` helper function emits attacker-controlled values without HTML encoding or sanitization, and the URL construction pattern for this endpoint exposes user input directly in rendered output. No active exploitation has been confirmed (not in CISA KEV), but the vulnerability is reachable without authentication and requires only victim interaction with a malicious link.

XSS PHP Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the `refresh` parameter in the zone-include.php iFrame invocation script. The CVSS scope change (S:C) indicates that attacker-controlled script executes in the victim's browser security context, enabling session hijacking, credential theft, or malicious redirects against targeted users who click a crafted URL. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity makes this straightforward for any attacker with XSS capability.

XSS PHP Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent XSS payloads via entity names that render unescaped within the maintenance-acl-check.php and maintenance-banners-check.php tools. When an administrator later runs these maintenance utilities and inconsistencies are detected, the malicious payload executes in the admin's browser context, potentially enabling session hijacking or unauthorized administrative actions. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the AC:H vector reflects that payload execution is partially outside attacker control, contingent on admin use of the specific maintenance tools.

XSS PHP Adserver
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for CVE-2026-34916, either by supplying a disallowed-but-valid plugin identifier in the `type` parameter or by abusing the `ox.setChannelTargeting` XML-RPC API method. The flaw lets an attacker inject and execute arbitrary code (CWE-94) on the server, fully compromising confidentiality, integrity, and availability. Reported via HackerOne by multiple researchers (including phucrio and offsetmd); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Adserver
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link their own trackers to campaigns belonging to other managers on the same instance via the `tracker-campaigns.php` script. This is a bypass of the fix introduced for CVE-2026-34913, which applied ownership checks only to the forward linking operation but omitted the reverse direction. The impact is confined to integrity - specifically, creation of inconsistent cross-manager ownership relationships - with no confidentiality or availability consequences. No public exploit identified at time of analysis.

Authentication Bypass PHP Adserver
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to bypass the admin-only restriction on that API. The ox.login method issues a valid session cookie in HTTP response headers before completing credential validation; when authentication fails, the error is returned to the caller but the underlying server-side session is never torn down. A threat actor who captures that leaked cookie can then replay it to invoke otherwise admin-restricted XML-RPC methods without possessing admin credentials. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Adserver
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Improper access control in Revive Adserver 6.0.6 and earlier allows an authenticated low-privileged user to link their own trackers to advertising campaigns owned by other managers on the same instance via campaign-trackers.php. The flaw enables unauthorized manipulation of campaign-tracker ownership relationships, corrupting attribution data and potentially introducing unauthorized tracking into other managers' campaigns. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

PHP Authentication Bypass Adserver
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID against the XML-RPC API, which is normally restricted to admin-level users. This authentication bypass (CWE-287) grants unauthorized API access, enabling the attacker to chain this foothold with additional API-level vulnerabilities to escalate impact beyond the base CVSS score suggests. No public exploit code and no CISA KEV listing have been identified at time of analysis; the issue was disclosed via HackerOne and a fix was implemented by recording session context alongside session data.

Authentication Bypass Adserver
NVD
EPSS 0%
NONE Awaiting Data

Stored XSS in Revive Adserver allows a low-privileged user to inject malicious JavaScript through their Full Name field, which propagates via system-generated emails into the userlog table and executes in an administrator's browser when viewing userlog-details.php. The attack crosses privilege boundaries - a standard user account becomes a vector for admin-context script execution, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis; a fix adding proper output escaping has been confirmed via HackerOne report #3669623.

XSS PHP Adserver
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary SQL through the clientid parameter of zone-include.php due to missing input sanitisation. The flaw, rated CVSS 8.3 with PR:L, enables attackers with any valid account to exfiltrate or tamper with ad-server data; no public exploit identified at time of analysis, though a HackerOne report describing the issue is publicly referenced.

SQLi PHP Adserver
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or deactivate banner ads regardless of whether those permissions were explicitly granted. The banner-edit.php script evaluated banner status changes based solely on banner edit permissions, treating status modification as implicitly authorized whenever edit access existed. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it straightforward for any credentialed advertiser to abuse.

PHP Authentication Bypass Adserver
NVD
EPSS 0%
NONE Awaiting Data

Revive Adserver's XML-RPC API addUser method contains a validation bypass regression introduced by the patch for CVE-2025-55129, allowing authenticated API users to register usernames containing malicious payloads that enable impersonation of other accounts or deliver stored cross-site scripting attacks against administrative users. Reported via HackerOne (report #3680090), this vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis. The provided CVSS vector is a null placeholder with all impact metrics rated N, which directly contradicts the described integrity and confidentiality impacts of stored XSS and account impersonation, and must not be used for risk prioritization.

XSS Authentication Bypass Adserver
NVD VulDB
EPSS 0%
NONE Awaiting Data

Stored XSS in Revive Adserver allows arbitrary JavaScript execution in an administrator's browser by embedding payloads in usernames that are later rendered unsanitized in the audit log details view. The attack persists in the platform's audit trail and fires when any admin reviews the affected log entries - a routine administrative activity, not a rare or unusual trigger. No public exploit has been identified at time of analysis, but the vendor has confirmed a fix by adding proper HTML output escaping to the audit log details rendering path.

XSS Adserver
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing access control on XML-RPC API modify methods in Revive Adserver 6.0.6 and earlier permits authenticated low-privileged users to reassign entities to arbitrary parent entities, corrupting ownership relationships across campaigns, zones, or banners. This flaw is not independently exploitable - it requires chaining with CVE-2026-34917 or the presence of third-party API extensions that expose modify methods to low-privileged users, materially narrowing real-world risk. A vendor fix adding parent-entity access validation has been issued; no public exploit has been identified at time of analysis.

Authentication Bypass Adserver
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Revive Adserver 6.0.6 and earlier fails to enforce ownership validation when linking banners or campaigns to ad zones via the zone-include.php script or the platform API, allowing any authenticated low-privileged user to associate their zones with advertising assets owned by other managers on the same installation. This breaks the intended multi-tenant ownership isolation, producing inconsistent cross-account zone-to-banner and zone-to-campaign relationships that disrupt legitimate advertiser operations. No public exploit has been identified and there is no CISA KEV listing; however, the low attack complexity and network accessibility via both the web interface and API make exploitation straightforward for any authenticated platform user.

PHP Authentication Bypass Adserver
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpected parameter into the delivery limitations save flow, planting attacker-controlled PHP into the compiledlimitations field that is then evaluated when banners are served. With CVSS 8.8 and a CWE-94 root cause, successful exploitation yields full code execution under the web/ad-delivery process, though there is no public exploit identified at time of analysis and the vulnerability is not in CISA KEV.

PHP RCE Code Injection +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate database contents via the unsanitized clientid parameter in zone-include.php. The vulnerability is compounded by a concurrent input validation failure that also enables cross-site scripting, reflected in the CWE-79 assignment and CVSS scope-change vector - suggesting the zone-include.php endpoint contains at least two distinct injection classes. No public exploit has been identified at time of analysis, and a fix is available in versions beyond 6.0.6 per the vendor advisory on HackerOne.

SQLi XSS PHP +1
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Adserver
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy