Description
HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error.
Published: 2026-01-20
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a format string injection in configuration settings of Revive Adserver. When an attacker supplies certain character combinations, the PHP process throws a fatal error, causing the admin console to become unusable. This weakness corresponds to CWE‑134, which can lead to a loss of functionality for privileged users. The consequence is a denial of service to administrators, preventing configuration changes and potentially interrupting ad delivery schedules.

Affected Systems

Revive Adserver is affected; no specific version information is available, so any installation that uses the current settings interface should be treated as potentially vulnerable.

Risk and Exploitability

The CVSS score of 2.7 indicates moderate severity, but the low EPSS score (<1%) and absence from the KEV catalog suggest a low likelihood of exploitation in the near term. The likely attack vector is through authenticated access to the admin interface, where an attacker can modify settings. The vulnerability requires administrator privileges to inject the format string; unauthenticated users cannot trigger the error. Because the impact is limited to a denial of service for administrators, the overall risk is considered low to moderate.

Generated by OpenCVE AI on April 18, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Revive Adserver support for an official patch or further guidance
  • Validate and sanitize user input in configuration settings to reject format string patterns before storing or using them
  • Restrict administrative access to configuration pages to trusted personnel and enforce principle of least privilege

Generated by OpenCVE AI on April 18, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://hackerone.com/reports/3445332 cve-icon cve-icon
History

Sat, 18 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title Format String Injection in Revive Adserver Settings Causing Admin Console Crash

Fri, 30 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aquaplatform
Aquaplatform revive Adserver
CPEs cpe:2.3:a:aquaplatform:revive_adserver:*:*:*:*:*:*:*:*
Vendors & Products Aquaplatform
Aquaplatform revive Adserver
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Wed, 21 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-134
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Revive
Revive adserver
Vendors & Products Revive
Revive adserver

Tue, 20 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error.
References
Metrics cvssV3_0

{'score': 2.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Aquaplatform Revive Adserver
Revive Adserver
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-01-21T18:52:43.635Z

Reserved: 2026-01-01T15:00:02.339Z

Link: CVE-2026-21640

cve-icon Vulnrichment

Updated: 2026-01-21T18:35:26.346Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T21:16:06.063

Modified: 2026-01-30T20:17:33.390

Link: CVE-2026-21640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses