CVE Catalog

CVE-2026-44958

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Summary

The vulnerability allows advertiser-level users to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php script allowed the banner status to be overwritten solely based on banner edit permissions.

Risk Assessment

Organizations may be exposed to unauthorized changes in the status of advertising banners, which could lead to improper ad display and potential financial losses.

Recommendation

It is recommended to upgrade to the latest version of Revive Adserver to eliminate this vulnerability and review user permissions in the system.

Original NVD description (English source)

An access control bypass allows an advertiser‑level user to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php script allowed the banner status to be overwritten solely based on banner edit permissions. The status field has been removed from the hidden form fields in the banner edit screen.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS