Description
A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script are properly validated.
Published: 2026-06-23
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to execute blind SQL injection attacks via the clientid parameter. The flaw can be used to infer database contents or, though not explicitly stated in the description, it is commonly understood that blind SQL injection could potentially allow reading or modifying database records, representing a confidentiality and integrity risk.

Affected Systems

The vulnerability impacts Revive Adserver 6.0.6 and all earlier releases of the Revive:Adserver product line.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, implying a lower likelihood of widespread exploitation. The likely attack vector is an HTTP request to zone-include.php, where an attacker can modify the clientid query string to perform the injection.

Generated by OpenCVE AI on June 24, 2026 at 11:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Revive Adserver to a version that includes the improved input sanitisation for zone-include.php.
  • If an upgrade is not immediately possible, restrict or block access to the zone-include.php endpoint from non‑privileged users or enforce strict input validation via a WAF or server configuration.
  • Ensure that any remaining clientid parameters are properly validated or removed from the public API surface.

Generated by OpenCVE AI on June 24, 2026 at 11:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Missing Sanitization in Revive Adserver Zone-Include Enables Blind SQL Injection

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Title Missing Sanitization in Revive Adserver Zone-Include Enables Blind SQL Injection

Wed, 24 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Blind SQL Injection via Unvalidated clientid Parameter in Revive Adserver zone-include.php

Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Blind SQL Injection via Unvalidated clientid Parameter in Revive Adserver zone-include.php

Tue, 23 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Blind SQL Injection via Unvalidated clientid Parameter in Revive Adserver zone-include.php

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Revive
Revive adserver
Vendors & Products Revive
Revive adserver

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Blind SQL Injection via Unvalidated clientid Parameter in Revive Adserver zone-include.php

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script are properly validated.
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 6.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-23T17:42:13.398Z

Reserved: 2026-03-31T15:00:06.522Z

Link: CVE-2026-34915

cve-icon Vulnrichment

Updated: 2026-06-23T17:42:10.001Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')