Home

Description

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script are properly validated.

PUBLISHED Reserved 2026-03-31 | Published 2026-06-23 | Updated 2026-06-23 | Assigner hackerone




HIGH: 8.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Problem types

CWE-89 SQL Injection

Product status

Default status
unaffected

Any version
affected

Credits

Kaushalendra Dubey (titanrain) reporter

References

hackerone.com/reports/3653196

cve.org (CVE-2026-34914)

nvd.nist.gov (CVE-2026-34914)

Download JSON