PHP code injection in delivery-limitation `logical` validation bypass - XML-RPC setChannelTargeting

Bug reported by Doom was disclosed at June 25, 2026, 1:43 pm   |   Code Injection

XML‑RPC login leak exposes valid session ID enabling unauthorized API access

Bug reported by Garut Pride was disclosed at June 25, 2026, 1:43 pm   |   Improper Access Control - Generic

Reflected XSS via unsanitised refresh parameter in zone invocation tag

Bug reported by Mahmoud Khaled was disclosed at June 25, 2026, 1:41 pm   |   Cross-site Scripting (XSS) - Reflected

A missing sanitization of user input in the zone-include.php script of Revive Adserver 6.0.7 and earlier was reported. This vulnerability allowed a low-privileged user to perform reflected XSS attacks by exploiting the refresh parameter of the iFrame invocation tag.

PHP code injection in delivery-limitation `logical` validation bypass

Bug reported by Rio [Redacted] was disclosed at June 25, 2026, 1:40 pm   |   Code Injection

A vulnerability in the delivery-limitation `logical` validation was reported. The vulnerability allowed bypassing the fix for CVE-2026-34916 by sending a disallowed but otherwise valid plugin identifier as `type`, or using the `ox.setChannelTargeting` XML-RPC API method.

Stored XSS in maintenance tools via unescaped entity names

Bug reported by Althaf Shajahan was disclosed at June 25, 2026, 1:40 pm   |   Cross-site Scripting (XSS) - Stored

A stored XSS vulnerability was discovered in the maintenance tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without proper escaping when inconsistencies were detected in the `maintenance-acl-check.php` and `maintenance-banners-check.php` files.

CSRF in zone‑include.php allows unauthorized banner and campaign linking

Bug reported by Althaf Shajahan was disclosed at June 25, 2026, 1:40 pm   |   Cross-Site Request Forgery (CSRF)

The `zone-include.php` script in Revive Adserver 6.0.7 was vulnerable to a CSRF attack. Linking and unlinking banners or campaigns to zones could be triggered via crafted GET or POST requests without any verification of the CSRF token, allowing an attacker to perform these actions on behalf of an authenticated administrator.

Missing ownership validation allows cross‑manager tracker–campaign linking

Bug reported by someone was disclosed at June 25, 2026, 1:40 pm   |   Insecure Direct Object Reference (IDOR)

A vulnerability was reported in Revive Adserver version 6.0.7 and earlier that allowed a low-privileged user to link their trackers to campaigns owned by other managers on the same instance. This was due to a lack of proper ownership validation in the `tracker-campaigns.php` script, which handled the reverse operation of linking campaigns and trackers.

Reflected XSS in stats‑video.php via improperly encoded URL parameters

Bug reported by Mahmoud Khaled was disclosed at June 25, 2026, 1:39 pm   |   Cross-site Scripting (XSS) - Reflected

A reflected XSS vulnerability was discovered in the stats‑video.php script due to improper encoding of user input in the URL parameters.

HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`

Bug reported by 陳昱昇 was disclosed at June 25, 2026, 5:03 am   |   Time-of-check Time-of-use (TOCTOU) Race Condition

Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix)

Bug reported by Vitaly was disclosed at June 25, 2026, 5:03 am   |   Improper Access Control - Generic

Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat

Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 5:02 am   |   Improper Handling of Unicode Encoding

Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching

Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 5:01 am   |   Improper Access Control - Generic

TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections

Bug reported by 3d7omb was disclosed at June 25, 2026, 5:01 am   |   Exploiting Incorrectly Configured SSL/TLS

Permission Model bypass via FileHandle.utimes() in the promises API

Bug reported by Muhammad Daffa was disclosed at June 25, 2026, 5:00 am   |   Incorrect Default Permissions

Proxy credentials leaked in ERR_PROXY_TUNNEL error message

Bug reported by Ali Saifeldin was disclosed at June 25, 2026, 5:00 am   |   Privacy Violation

Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames

Bug reported by kingsd was disclosed at June 25, 2026, 4:59 am   |   Uncontrolled Resource Consumption

Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings

Bug reported by Tasos Meletlidis was disclosed at June 25, 2026, 4:59 am   |   Improper Access Control - Generic

Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS)

Bug reported by Erichen was disclosed at June 25, 2026, 4:58 am   |   Integer Overflow