A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks.
References
History

Wed, 08 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Revive
Revive adserver
Vendors & Products Revive
Revive adserver

Fri, 26 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Reflected XSS via zone‑include.php Refresh Parameter in Revive Adserver 6.0.7 and Earlier

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks.
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 6.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-06-26T01:11:14.295Z

Updated: 2026-07-08T19:42:43.574Z

Reserved: 2026-06-06T15:00:09.779Z

Link: CVE-2026-50740

cve-icon Vulnrichment

Updated: 2026-06-26T12:24:39.963Z

cve-icon NVD

No data.

cve-icon Redhat

No data.