CVE-2026-50744
published 2026-06-26CVE-2026-50744: A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in…
PriorityP423medium4.3CVSS 3.0
AVNACLPRLUINSUCLINAN
EPSS
0.17%
6.4th percentile
A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| revive-adserver | revive_adserver | < 6.0.8 | 6.0.8 |
| revive | adserver | <= 6.0.7 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-26
Published