Revive-adserver Revive Adserver — known CVE vulnerabilities
Every CVE whose affected-product data names Revive-adserver Revive Adserver, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (66)
CVE-2016-9125 — CVSS 9.8 (critical): Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time…
CVE-2016-9124 — CVSS 9.8 (critical): Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is…
CVE-2017-5830 — CVSS 9.8 (critical): Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery…
CVE-2016-9470 — CVSS 9.0 (critical): Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected File Download. `www/delivery/asyncspc.php` was vulnerable to the fairly new…
CVE-2016-9456 — CVSS 8.8 (high): Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The Revive Adserver team conducted a security audit of the…
CVE-2026-50741 — CVSS 8.8 (high): Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed…
CVE-2025-52664 — CVSS 8.8 (high): SQL injection in Revive Adserver 6.0.0 causes potential disruption or information access when specifically crafted payloads are sent by…
CVE-2025-48986 — CVSS 8.8 (high): Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email…
CVE-2016-9127 — CVSS 8.8 (high): Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The password recovery form in Revive Adserver is vulnerable to…
CVE-2016-9455 — CVSS 8.8 (high): Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). A number of scripts in Revive Adserver's user interface are…
CVE-2019-5440 — CVSS 8.1 (high): Use of cryptographically weak PRNG in the password recovery token generation of Revive Adserver < v4.2.1 causes a potential authentication…
CVE-2015-7369 — CVSS 7.5 (high): The default Flash cross-domain policy (crossdomain.xml) in Revive Adserver before 3.2.2 does not restrict access cross domain access, which…
CVE-2015-7372 — CVSS 7.5 (high): Directory traversal vulnerability in delivery-dev/al.php in Revive Adserver before 3.2.2 allows remote attackers to include and execute…
CVE-2015-7367 — CVSS 7.5 (high): Revive Adserver before 3.2.2 allows remote attackers to perform unspecified actions by leveraging an unexpired session after the user has…
CVE-2013-7149 — CVSS 7.5 (high): SQL injection vulnerability in www/delivery/axmlrpc.php (aka the XML-RPC delivery invocation script) in Revive Adserver before 3.0.2, and…
CVE-2021-22948 — CVSS 7.1 (high): Vulnerability in the generation of session IDs in revive-adserver < 5.3.0, based on the cryptographically insecure uniqid() PHP function…
CVE-2020-8142 — CVSS 6.8 (medium): A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive…
CVE-2014-9407 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.0.5 allow remote attackers to hijack the…
CVE-2013-5954 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11 and earlier allow remote attackers to hijack the authentication…
CVE-2015-7364 — CVSS 6.8 (medium): The HTML_Quickform library, as used in Revive Adserver before 3.2.2, allows remote attackers to bypass the CSRF protection mechanism via an…
CVE-2015-7366 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.2.2 allow remote attackers to hijack the…
CVE-2025-52670 — CVSS 6.5 (medium): Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes users on the system to delete banners owned by…
CVE-2026-50745 — CVSS 6.1 (medium): A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did…
CVE-2017-5833 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the invocation code generation for interstitial zones in Revive Adserver before 4.0.1 allows…
CVE-2020-8115 — CVSS 6.1 (medium): A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver <= 5.0.3 by Jacopo…
CVE-2020-8143 — CVSS 6.1 (medium): An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote…
CVE-2021-22872 — CVSS 6.1 (medium): Revive Adserver before 5.1.0 is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the publicly accessible afr.php…
CVE-2021-22873 — CVSS 6.1 (medium): Revive Adserver before 5.1.0 is vulnerable to open redirects via the `dest`, `oadest`, and/or `ct0` parameters of the lg.php and ck.php…
CVE-2021-22874 — CVSS 6.1 (medium): Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in userlog-index.php via the `period_preset` parameter.
CVE-2021-22875 — CVSS 6.1 (medium): Revive Adserver before 5.1.1 is vulnerable to a reflected XSS vulnerability in stats.php via the `setPerPage` parameter.
CVE-2021-22888 — CVSS 6.1 (medium): Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `status` parameter of campaign-zone-zones.php. An…
CVE-2021-22889 — CVSS 6.1 (medium): Revive Adserver before v5.2.0 is vulnerable to a reflected XSS vulnerability in the `statsBreakdown` parameter of stats.php (and possibly…
CVE-2023-53931 — CVSS 6.1 (medium): Revive Adserver 5.4.1 contains a cross-site scripting vulnerability in the banner advanced configuration page that allows attackers to…
CVE-2025-27208 — CVSS 6.1 (medium): A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Revive Adserver version 5.5.2. An attacker could trick a user…
CVE-2025-48987 — CVSS 6.1 (medium): Improper Neutralization of Input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes a potential reflected XSS attack.
CVE-2025-55124 — CVSS 6.1 (medium): Improper neutralisation of input in Revive Adserver 6.0.0+ causes a reflected XSS attack in the banner-zone.php script.
CVE-2017-5831 — CVSS 5.9 (medium): Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote…
CVE-2025-52667 — CVSS 5.4 (medium): Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be…
CVE-2016-9472 — CVSS 5.4 (medium): Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The Revive Adserver web installer scripts were vulnerable to a reflected…
CVE-2016-9128 — CVSS 5.4 (medium): Revive Adserver before 3.2.3 suffers from reflected XSS. The affiliate-preview.php script in www/admin is vulnerable to a reflected XSS…
CVE-2017-5832 — CVSS 5.4 (medium): Cross-site scripting (XSS) vulnerability in Revive Adserver before 4.0.1 allows remote authenticated users to inject arbitrary web script…
CVE-2016-9126 — CVSS 5.4 (medium): Revive Adserver before 3.2.3 suffers from persistent XSS. Usernames are not properly escaped when displayed in the audit trail widget of…
CVE-2019-5433 — CVSS 5.4 (medium): A user having access to the UI of a Revive Adserver instance could be tricked into clicking on a specifically crafted admin…
CVE-2016-9457 — CVSS 5.4 (medium): Revive Adserver before 3.2.3 suffers from Reflected XSS. `www/admin/stats.php` is vulnerable to reflected XSS attacks via multiple…
CVE-2025-55123 — CVSS 5.4 (medium): Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes manager accounts to be able to craft XSS…
CVE-2025-52668 — CVSS 5.4 (medium): Improper input neutralization in the stats-conversions.php script in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes potential…
CVE-2016-9454 — CVSS 5.4 (medium): Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface…
CVE-2016-9130 — CVSS 5.4 (medium): Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface…
CVE-2026-50740 — CVSS 5.4 (medium): A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A…
CVE-2026-50742 — CVSS 5.4 (medium): A stored XSS vulnerabilities exists in the `maintenance-acl-check.php` and `maintenance-banners-check.php` tools of Revive Adserver 6.0.7…
CVE-2016-9129 — CVSS 5.3 (medium): Revive Adserver before 3.2.3 suffers from Information Exposure Through Discrepancy. It is possible to check whether or not an email address…
CVE-2015-7371 — CVSS 5.0 (medium): Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers to run the Maintenance Priority Engine…
CVE-2014-8875 — CVSS 5.0 (medium): The XML_RPC_cd function in lib/pear/XML/RPC.php in Revive Adserver before 3.0.6 allows remote attackers to cause a denial of service (CPU…
CVE-2021-22871 — CVSS 4.8 (medium): Revive Adserver before 5.1.0 permits any user with a manager account to store possibly malicious content in the URL website property, which…
CVE-2015-7373 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the "magic-macros" feature in Revive Adserver before 3.2.2 allows remote attackers to inject…
CVE-2025-52669 — CVSS 4.3 (medium): Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to…
CVE-2015-7365 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the plugin upgrade form in Revive Adserver before 3.2.2 allows remote attackers to inject…
CVE-2025-52671 — CVSS 4.3 (medium): Debug information disclosure in the SQL error message to in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to…
CVE-2014-8793 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in lib/max/Admin/UI/Field/PublisherIdField.php in Revive Adserver before 3.0.6 allows remote…
CVE-2026-50739 — CVSS 4.3 (medium): A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking…
CVE-2015-7370 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in open-flash-chart.swf in Open Flash Chart 2, as used in the VideoAds plugin in Revive…
CVE-2026-50744 — CVSS 4.3 (medium): A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a…
CVE-2016-9471 — CVSS 3.1 (low): Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren't properly sanitised when creating users on…
CVE-2025-52666 — CVSS 2.7 (low): Improper neutralisation of format characters in the settings of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an…
CVE-2015-7368 — CVSS 2.1 (low): Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local…