Missing access control when linking banners or campaigns to zones

Bug reported by Ahmed Ghadban was disclosed at June 3, 2026, 1:35 pm   |   Improper Access Control - Generic

A missing access control check was identified when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API. This could have allowed a low-privileged user to link their zones to banners or campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that banners and campaigns can only be linked to zones managed by the same account.

Missing access control when linking trackers to campaigns

Bug reported by Ahmed Ghadban was disclosed at June 3, 2026, 1:35 pm   |   Improper Access Control - Generic

A missing access control check was reported when linking trackers to campaigns through the "campaign-trackers.php" script of Revive Adserver 6.0.6 and earlier. A low-privileged user could link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that campaigns can only be linked to trackers owned by the same advertiser.

Blind SQL injection via clientid parameter in zone‑include.php

Bug reported by Kaushalendra Dubey was disclosed at June 3, 2026, 1:34 pm   |   SQL Injection

Reflected XSS via clientid parameter in zone‑include.php

Bug reported by Kaushalendra Dubey was disclosed at June 3, 2026, 1:34 pm   |   Cross-site Scripting (XSS) - Reflected

PHP code injection via delivery limitation logical

Bug reported by 0x4C616E was disclosed at June 3, 2026, 1:33 pm   |   Code Injection

Stored XSS via Full Name field in userlog email entries

Bug reported by was disclosed at June 3, 2026, 1:33 pm   |   Cross-site Scripting (XSS) - Stored

Session ID reuse allowing XML‑RPC API authentication bypass

Bug reported by 0x4C616E was disclosed at June 3, 2026, 1:33 pm   |   Improper Authentication - Generic

Missing access control when modifying parent entities via XML‑RPC

Bug reported by was disclosed at June 3, 2026, 1:32 pm   |   Improper Access Control - Generic

Banner status override by advertiser‑level users

Bug reported by Vertical was disclosed at June 3, 2026, 1:32 pm   |   Improper Access Control - Generic

A vulnerability was reported in Revive Adserver 6.0.6 and earlier, which allowed an advertiser-level user to activate or deactivate a banner without proper permissions. The issue was caused by the banner-edit.php script, which allowed the banner status to be overwritten solely based on banner edit permissions.

PHP code injection via unexpected delivery limitation parameter

Bug reported by rajib mahmud was disclosed at June 3, 2026, 1:29 pm   |   Code Injection

A vulnerability was reported in Revive Adserver 6.0.6 and earlier versions where user input was not properly validated when saving delivery limitations. This allowed a low-privileged user to inject malicious PHP code into the `compiledlimitations` field, which could then be executed during banner delivery.