cbcvebase.

Aquaplatform Revive Adserver vulnerabilities

9 known vulnerabilities affecting aquaplatform/revive_adserver.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM8LOW1

Vulnerabilities

Page 1 of 1
CVE-2026-21641P3MEDIUMCVSS 6.5≤ 6.0.42026-01-20
CVE-2026-21641 [MEDIUM] CWE-285 CVE-2026-21641: HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete.php` script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts.
nvd
CVE-2025-55128P3MEDIUMCVSS 6.5≥ 6.0.0, < 6.0.32025-11-20
CVE-2025-55128 [MEDIUM] CWE-400 CVE-2025-55128: HackerOne community member Dang Hung Vi (vidang04) has reported an uncontrolled resource consumption HackerOne community member Dang Hung Vi (vidang04) has reported an uncontrolled resource consumption vulnerability in the “userlog-index.php”. An attacker with access to the admin interface could request an arbitrarily large number of items per page, potentially leading to a denial of service.
nvd
CVE-2025-55126P4MEDIUMCVSS 6.5≥ 6.0.0, < 6.0.32025-11-20
CVE-2025-55126 [MEDIUM] CWE-79 CVE-2025-55126: HackerOne community member Dang Hung Vi (vidang04) has reported a stored XSS vulnerability involving HackerOne community member Dang Hung Vi (vidang04) has reported a stored XSS vulnerability involving the navigation box at the top of advertiser-related pages, with campaign names being the vector for the stored XSS
nvd
CVE-2025-55129P4MEDIUMCVSS 5.4≥ 6.0.0, < 6.0.42025-12-02
CVE-2025-55129 [MEDIUM] CWE-176 CVE-2025-55129: HackerOne community member Kassem S.(kassem_s94) has reported that username handling in Revive Adser HackerOne community member Kassem S.(kassem_s94) has reported that username handling in Revive Adserver was still vulnerable to impersonation attacks after the fix for CVE-2025-52672, via several alternate techniques. Homoglyphs based impersonation has been independently reported by other HackerOne users, such as itz_hari_ and khoof.
nvd
CVE-2025-55127P4MEDIUMCVSS 5.4≥ 6.0.0, < 6.0.32025-11-20
CVE-2025-55127 [MEDIUM] CWE-156 CVE-2025-55127: HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whit HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username is displayed in the UI, potentially leading to confusion.
nvd
CVE-2026-21642P4MEDIUMCVSS 6.1≤ 6.0.42026-01-20
CVE-2026-21642 [MEDIUM] CWE-79 CVE-2026-21642: HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `ban HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would b
nvd
CVE-2026-21664P4MEDIUMCVSS 6.1≥ 6.0.0, ≤ 6.0.42026-01-20
CVE-2026-21664 [MEDIUM] CWE-79 CVE-2026-21664: HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerabili HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be execute
nvd
CVE-2026-21663P4MEDIUMCVSS 6.1≥ 6.0.0, ≤ 6.0.42026-01-20
CVE-2026-21663 [MEDIUM] CWE-79 CVE-2026-21663: HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the bann HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed.
nvd
CVE-2026-21640P4LOWCVSS 2.7≥ 6.0.0, ≤ 6.0.42026-01-20
CVE-2026-21640 [LOW] CWE-134 CVE-2026-21640: HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the R HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error.
nvd
Aquaplatform Revive Adserver vulnerabilities | cvebase