CVE-2026-50740
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
In Revive Adserver 6.0.7 and earlier, missing sanitization of user input in the zone-include.php script allows XSS attacks. A low-privileged user can exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks.
Risk Assessment
An attacker can inject malicious script that executes in the victim's browser, leading to session theft, redirects, or data theft.
Recommendation
Immediately update Revive Adserver to the latest version containing the security fix. If an update is not possible, restrict access to the zone-include.php script and apply filtering to the refresh parameter.
Original NVD description (English source)
A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks.

