Revive-Adserver Revive Adserver vulnerabilities
66 known vulnerabilities affecting revive-adserver/revive_adserver.
Total CVEs
66
CISA KEV
0
Public exploits
4
Exploited in wild
3
Severity breakdown
CRITICAL4HIGH12MEDIUM47LOW3
Vulnerabilities
Page 3 of 4
CVE-2026-50740P4MEDIUMCVSS 5.4fixed in 6.0.82026-06-26
CVE-2026-50740 [MEDIUM] CWE-79 CVE-2026-50740: A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive A
A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks.
nvd
CVE-2025-48987P4MEDIUMCVSS 6.1≤ 5.5.2≥ 6.0.0, ≤ 6.0.12025-11-20
CVE-2025-48987 [MEDIUM] CWE-79 CVE-2025-48987: Improper Neutralization of Input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes a po
Improper Neutralization of Input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes a potential reflected XSS attack.
nvd
CVE-2016-9472P4MEDIUMCVSS 5.4≤ 3.2.4v4.0.02017-03-28
CVE-2016-9472 [MEDIUM] CWE-79 CVE-2016-9472: Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The Revive Adserver web installer
Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser, and possibly other parameters. It has to be noted that the window for such attack vectors to be possible is extremely narrow and it is very unlikely that such an attack could be a
nvd
CVE-2015-7366P4MEDIUMCVSS 6.8≤ 3.2.12015-10-14
CVE-2015-7366 [MEDIUM] CWE-352 CVE-2015-7366: Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.2.2 allow rem
Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.2.2 allow remote attackers to hijack the authentication of users for requests that (1) perform certain plugin actions and possibly cause a denial of service (disabled core plugins) via unknown vectors or (2) change the contact name and language or possibly have unsp
nvd
CVE-2025-55124P4MEDIUMCVSS 6.1≥ 6.0.0, ≤ 6.0.12025-11-20
CVE-2025-55124 [MEDIUM] CWE-79 CVE-2025-55124: Improper neutralisation of input in Revive Adserver 6.0.0+ causes a reflected XSS attack in the bann
Improper neutralisation of input in Revive Adserver 6.0.0+ causes a reflected XSS attack in the banner-zone.php script.
nvd
CVE-2015-7371P4MEDIUMCVSS 5.0≤ 3.2.12015-10-14
CVE-2015-7371 [MEDIUM] CWE-264 CVE-2015-7371: Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers
Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers to run the Maintenance Priority Engine and possibly cause a denial of service (resource consumption) via a direct request.
nvd
CVE-2014-8875P4MEDIUMCVSS 5.0≤ 3.0.52014-12-19
CVE-2014-8875 [MEDIUM] CVE-2014-8875: The XML_RPC_cd function in lib/pear/XML/RPC.php in Revive Adserver before 3.0.6 allows remote attack
The XML_RPC_cd function in lib/pear/XML/RPC.php in Revive Adserver before 3.0.6 allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted XML-RPC request, aka an XML Entity Expansion (XEE) attack.
nvd
CVE-2016-9457P4MEDIUMCVSS 5.4≤ 3.2.22017-03-28
CVE-2016-9457 [MEDIUM] CWE-79 CVE-2016-9457: Revive Adserver before 3.2.3 suffers from Reflected XSS. `www/admin/stats.php` is vulnerable to refl
Revive Adserver before 3.2.3 suffers from Reflected XSS. `www/admin/stats.php` is vulnerable to reflected XSS attacks via multiple parameters that are not properly sanitised or escaped when displayed, such as setPerPage, pageId, bannerid, period_start, period_end, and possibly others.
nvd
CVE-2017-5833P4MEDIUMCVSS 6.1≤ 4.0.02017-03-03
CVE-2017-5833 [MEDIUM] CWE-79 CVE-2017-5833: Cross-site scripting (XSS) vulnerability in the invocation code generation for interstitial zones in
Cross-site scripting (XSS) vulnerability in the invocation code generation for interstitial zones in Revive Adserver before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
nvd
CVE-2016-9128P4MEDIUMCVSS 5.4≤ 3.2.22017-03-28
CVE-2016-9128 [MEDIUM] CWE-79 CVE-2016-9128: Revive Adserver before 3.2.3 suffers from reflected XSS. The affiliate-preview.php script in www/adm
Revive Adserver before 3.2.3 suffers from reflected XSS. The affiliate-preview.php script in www/admin is vulnerable to a reflected XSS attack. This vulnerability could be used by an attacker to steal the session ID of an authenticated user, by tricking them into visiting a specifically crafted URL.
nvd
CVE-2016-9129P4MEDIUMCVSS 5.3≤ 3.2.22017-03-28
CVE-2016-9129 [MEDIUM] CWE-203 CVE-2016-9129: Revive Adserver before 3.2.3 suffers from Information Exposure Through Discrepancy. It is possible t
Revive Adserver before 3.2.3 suffers from Information Exposure Through Discrepancy. It is possible to check whether or not an email address was associated to one or more user accounts on a target Revive Adserver instance by examining the message printed by the password recovery system. Such information cannot however be used directly to log in to the
nvd
CVE-2016-9454P4MEDIUMCVSS 5.4≤ 3.2.22017-03-28
CVE-2016-9454 [MEDIUM] CWE-79 CVE-2016-9454: Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via th
Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The banner image URL for external banners wasn't properly escaped when displayed in most of the banner related pages.
nvd
CVE-2026-50739P4MEDIUMCVSS 4.3fixed in 6.0.82026-06-26
CVE-2026-50739 [MEDIUM] CWE-284 CVE-2026-50739: A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the
A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the `tracker-campaigns.php` script in Revive Adserver 6.0.7 and earlier. As a result, a low‑privileged user could link their trackers to campaigns owned by other managers on the same instanc
nvd
CVE-2016-9130P4MEDIUMCVSS 5.4≤ 3.2.22017-03-28
CVE-2016-9130 [MEDIUM] CWE-79 CVE-2016-9130: Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via th
Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The website name wasn't properly escaped when displayed in the campaign-zone.php script.
nvd
CVE-2025-52669P4MEDIUMCVSS 4.3≤ 5.5.2≥ 6.0.0, ≤ 6.0.12025-11-20
CVE-2025-52669 [MEDIUM] CWE-200 CVE-2025-52669: Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlie
Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to have access to the contact name and email address of other users on the system.
nvd
CVE-2026-50744P4MEDIUMCVSS 4.3fixed in 6.0.82026-06-26
CVE-2026-50744 [MEDIUM] CWE-284 CVE-2026-50744: A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response
A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API call
nvd
CVE-2017-5832P4MEDIUMCVSS 5.4≤ 4.0.02017-03-03
CVE-2017-5832 [MEDIUM] CWE-79 CVE-2017-5832: Cross-site scripting (XSS) vulnerability in Revive Adserver before 4.0.1 allows remote authenticated
Cross-site scripting (XSS) vulnerability in Revive Adserver before 4.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the user's email address.
nvd
CVE-2021-22871P4MEDIUMCVSS 4.8fixed in 5.1.02021-01-26
CVE-2021-22871 [MEDIUM] CWE-79 CVE-2021-22871: Revive Adserver before 5.1.0 permits any user with a manager account to store possibly malicious con
Revive Adserver before 5.1.0 permits any user with a manager account to store possibly malicious content in the URL website property, which is then displayed unsanitized in the affiliate-preview.php tag generation screen, leading to a persistent cross-site scripting (XSS) vulnerability.
nvd
CVE-2025-52671P4MEDIUMCVSS 4.3v6.0.02025-11-20
CVE-2025-52671 [MEDIUM] CWE-209 CVE-2025-52671: Debug information disclosure in the SQL error message to in Revive Adserver 5.5.2 and 6.0.1 and earl
Debug information disclosure in the SQL error message to in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to acquire information about the software, PHP and database versions currently in use.
nvd
CVE-2015-7373P4MEDIUMCVSS 4.3≤ 3.2.12015-10-14
CVE-2015-7373 [MEDIUM] CWE-79 CVE-2015-7373: Cross-site scripting (XSS) vulnerability in the "magic-macros" feature in Revive Adserver before 3.2
Cross-site scripting (XSS) vulnerability in the "magic-macros" feature in Revive Adserver before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via a GET parameter, which is not properly handled in a banner.
nvd