resolved
PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting
Bug reported by Doom was disclosed at June 25, 2026, 1:43 pm | Code Injection
resolved
XML‑RPC login leak exposes valid session ID enabling unauthorized API access
Bug reported by Garut Pride was disclosed at June 25, 2026, 1:43 pm | Improper Access Control - Generic
resolved
Reflected XSS via unsanitised refresh parameter in zone invocation tag
Bug reported by Mahmoud Khaled was disclosed at June 25, 2026, 1:41 pm | Cross-site Scripting (XSS) - Reflected
A missing sanitization of user input in the zone-include.php script of Revive Adserver 6.0.7 and earlier was reported. This vulnerability allowed a low-privileged user to perform reflected XSS attacks by exploiting the refresh parameter of the iFrame invocation tag.
resolved
PHP code injection in delivery-limitation `logical` validation bypass
Bug reported by Rio [Redacted] was disclosed at June 25, 2026, 1:40 pm | Code Injection
A vulnerability in the delivery-limitation `logical` validation was reported. The vulnerability allowed bypassing the fix for CVE-2026-34916 by sending a disallowed but otherwise valid plugin identifier as `type`, or using the `ox.setChannelTargeting` XML-RPC API method.
resolved
Stored XSS in maintenance tools via unescaped entity names
Bug reported by Althaf Shajahan was disclosed at June 25, 2026, 1:40 pm | Cross-site Scripting (XSS) - Stored
A stored XSS vulnerability was discovered in the maintenance tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without proper escaping when inconsistencies were detected in the `maintenance-acl-check.php` and `maintenance-banners-check.php` files.
resolved
CSRF in zone‑include.php allows unauthorized banner and campaign linking
Bug reported by Althaf Shajahan was disclosed at June 25, 2026, 1:40 pm | Cross-Site Request Forgery (CSRF)
The `zone-include.php` script in Revive Adserver 6.0.7 was vulnerable to a CSRF attack. Linking and unlinking banners or campaigns to zones could be triggered via crafted GET or POST requests without any verification of the CSRF token, allowing an attacker to perform these actions on behalf of an authenticated administrator.
resolved
Missing ownership validation allows cross‑manager tracker–campaign linking
Bug reported by someone was disclosed at June 25, 2026, 1:40 pm | Insecure Direct Object Reference (IDOR)
A vulnerability was reported in Revive Adserver version 6.0.7 and earlier that allowed a low-privileged user to link their trackers to campaigns owned by other managers on the same instance. This was due to a lack of proper ownership validation in the `tracker-campaigns.php` script, which handled the reverse operation of linking campaigns and trackers.
resolved
Reflected XSS in stats‑video.php via improperly encoded URL parameters
Bug reported by Mahmoud Khaled was disclosed at June 25, 2026, 1:39 pm | Cross-site Scripting (XSS) - Reflected
A reflected XSS vulnerability was discovered in the stats‑video.php script due to improper encoding of user input in the URL parameters.
resolved
HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`
Bug reported by 陳昱昇 was disclosed at June 25, 2026, 5:03 am | Time-of-check Time-of-use (TOCTOU) Race Condition
resolved
Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)
Bug reported by Vitaly was disclosed at June 25, 2026, 5:03 am | Improper Access Control - Generic
resolved
Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat
Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 5:02 am | Improper Handling of Unicode Encoding
resolved
Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching
Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 5:01 am | Improper Access Control - Generic
resolved
TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections
Bug reported by 3d7omb was disclosed at June 25, 2026, 5:01 am | Exploiting Incorrectly Configured SSL/TLS
resolved
Permission Model bypass via FileHandle.utimes() in the promises API
Bug reported by Muhammad Daffa was disclosed at June 25, 2026, 5:00 am | Incorrect Default Permissions
resolved
Proxy credentials leaked in ERR_PROXY_TUNNEL error message
Bug reported by Ali Saifeldin was disclosed at June 25, 2026, 5:00 am | Privacy Violation
resolved
Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames
Bug reported by kingsd was disclosed at June 25, 2026, 4:59 am | Uncontrolled Resource Consumption
resolved
Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings
Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 4:59 am | Improper Access Control - Generic
resolved
Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS)
Bug reported by Erichen was disclosed at June 25, 2026, 4:58 am | Integer Overflow