Revive Adserver
12 CVEs affecting Revive Adserver. Latest disclosed: 2026-06-23. Critical: 0, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-44959 | High | 8.8 | 2026-06-23 | A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected… |
CVE-2026-34914 | High | 8.3 | 2026-06-23 | A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploit the clientid para… |
CVE-2023-26756 | High | 7.5 | 2023-04-14 | The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. NOTE: The vendor's position is that this is effectively mitigated by rate limits… |
CVE-2026-34915 | Medium | 6.1 | 2026-06-23 | A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clien… |
CVE-2026-44958 | Medium | 5.4 | 2026-06-23 | An access control bypass allows an advertiser‑level user to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions we… |
CVE-2026-44957 | Medium | 4.3 | 2026-06-23 | A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be rea… |
CVE-2026-34917 | Medium | 4.3 | 2026-06-23 | Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users… |
CVE-2026-34913 | Medium | 4.3 | 2026-06-23 | A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a l… |
CVE-2026-34912 | Medium | 4.3 | 2026-06-23 | A missing access control check when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its… |
CVE-2026-44961 | Unrated | | 2026-06-23 | The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled imp… |
CVE-2026-44960 | Unrated | | 2026-06-23 | A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malici… |
CVE-2026-44956 | Unrated | | 2026-06-23 | Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in… |