CVE Catalog

CVE-2026-50740

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

In Revive Adserver 6.0.7 and earlier, missing sanitization of user input in the zone-include.php script allows XSS attacks. A low-privileged user can exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks.

Risk Assessment

An attacker can inject malicious script that executes in the victim's browser, leading to session theft, redirects, or data theft.

Recommendation

Immediately update Revive Adserver to the latest version containing the security fix. If an update is not possible, restrict access to the zone-include.php script and apply filtering to the refresh parameter.

Original NVD description (English source)

A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS