CVE-2026-50742 | A stored XSS vulnerabilities exists in the `maintenance-acl-… | CVSS 4.4 MEDIUM

Description

A stored XSS vulnerabilities exists in the `maintenance-acl-check.php` and `maintenance-banners-check.php` tools of Revive Adserver 6.0.7. The issue was caused by entity names being displayed without proper escaping when inconsistencies were detected. Whether the XSS payload is executed when an administrator uses the affected maintenance tools is not entirely under the attacker's control.

Metadata

CVE ID: CVE-2026-50742
State: PUBLISHED
Assigner: hackerone
Reserved: 2026-06-06 15:00 UTC
Published: 2026-06-26 01:11 UTC
Last updated: 2026-06-26 12:25 UTC
Primary CWE: CWE-79
CWE-79 Cross-site Scripting (XSS) - Stored
Vendor / Product: Revive / Adserver
Sources: cve.org · NVD

Severity & Metrics

4.4 MEDIUM CVSS 3.0

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Revive	Adserver	—	0 ≤ 6.0.7

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	CWE-79 Cross-site Scripting (XSS) - Stored

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.4	MEDIUM	3.0	cna	CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

References (1)

https://hackerone.com/reports/3781311