CVE-2026-34916
HighCVSS 8.8Summary
A missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier could allow a low-privileged user to inject malicious PHP code into the compiledlimitations field on the database, resulting in its execution during banner delivery.
Risk Assessment
The organization may be exposed to the execution of malicious code, potentially leading to system compromise and data leakage.
Recommendation
It is recommended to upgrade to the latest version of Revive Adserver, where input sanitization and parameter validation have been improved.
Original NVD description (English source)
A missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to use the logical parameter to inject malicious PHP code into the compiledlimitations field on the database and have it executed during banner delivery. Input sanitisation has been improved to ensure that the parameter is properly validated.

