Executive Summary
A critical vulnerability, CVE-2026-34916, has been discovered in Revive Adserver 6.0.6 and earlier. This vulnerability allows a low-privileged user to inject malicious PHP code, potentially leading to arbitrary code execution during banner delivery. The vulnerability has a CVSS score of 8.8, indicating a high severity level.
Technical Analysis
The vulnerability is caused by a missing validation of user input when saving delivery limitations in Revive Adserver. Specifically, the logical parameter is not properly sanitized, allowing an attacker to inject malicious PHP code into the compiled limitations field in the database. This code can then be executed during banner delivery. The vulnerability is classified as CWE-94, which involves improper control of code generation ('code injection').
How It Gets Exploited
An attacker with low privileges can exploit this vulnerability by injecting malicious PHP code into the logical parameter when saving delivery limitations. The attacker would need to craft a malicious payload that would be executed during banner delivery. For example, an attacker could inject a PHP script that writes a webshell to the server, allowing for remote code execution. The attacker would then need to trigger the execution of the malicious code by accessing the banner delivery endpoint.
Impact Assessment
Revive Adserver 6.0.6 and earlier versions are affected by this vulnerability. An attacker could achieve arbitrary code execution, potentially leading to a complete compromise of the server. The CVSS score of 8.8 indicates a high severity level, with high impacts on confidentiality, integrity, and availability.
Recommended Actions
To mitigate this vulnerability, update Revive Adserver to version 6.0.7 or later. Additionally, implement input validation and sanitization for user input, and monitor for suspicious activity on the server. Detection guidance: Monitor for unusual changes to the compiled limitations field in the database, and investigate any instances of unexpected PHP code execution.
Sources
- National Vulnerability Database (NVD)
- HackerOne