CVE-2026-44958
MediumCVSS 5.4Summary
The vulnerability allows advertiser-level users to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php script allowed the banner status to be overwritten solely based on banner edit permissions.
Risk Assessment
Organizations may be exposed to unauthorized changes in the status of advertising banners, which could lead to improper ad display and potential financial losses.
Recommendation
It is recommended to upgrade to the latest version of Revive Adserver to eliminate this vulnerability and review user permissions in the system.
Original NVD description (English source)
An access control bypass allows an advertiser‑level user to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php script allowed the banner status to be overwritten solely based on banner edit permissions. The status field has been removed from the hidden form fields in the banner edit screen.

