Description
Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed either by sending a disallowed but otherwise valid plugin identifier as `type`, or using the `ox.setChannelTargeting` XML-RPC API method.
Published: 2026-06-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bypass exists that defeats the previous remediation for CVE-2026-34916 in Revive Adserver. By supplying a disallowed but otherwise syntactically correct plugin identifier as the `type` field, or by invoking the `ox.setChannelTargeting` XML-RPC method, an attacker can activate a plugin that the system should reject. The flaw aligns with CWE‑94, which concerns code injection or execution via untrusted inputs. Because the bypass allows code to be executed in the adserver’s context, it can lead to full compromise of the underlying host.

Affected Systems

Any Revive Adserver installation that has not applied the patch for CVE-2026-34916 is potentially vulnerable. No specific product versions are listed; therefore all releases—including the latest—should be checked for the applied fix.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS is not available, but the lack of a KEV listing does not reduce the threat. An attacker can exploit the issue remotely over the network by crafting a request that targets the plugin validation path or the XML‑RPC endpoint. Because the vulnerability is a bypass rather than a new flaw, it can be triggered from an external attacker’s interface with legitimate-looking payloads. If the application is exposed to the open internet, the likelihood of exploitation remains elevated.

Generated by OpenCVE AI on June 26, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Revive Adserver version that includes the CVE‑2026‑34916 fix.
  • If an upgrade is not feasible, configure the system to reject any plugin identifiers that are not explicitly listed in the allowed set and enforce strict type validation.
  • Restrict access to the XML‑RPC API by firewalling or IP whitelisting to trusted administrative hosts.

Generated by OpenCVE AI on June 26, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Revive
Revive adserver
Vendors & Products Revive
Revive adserver

Fri, 26 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Revive Adserver Code Injection Bypass via Plugin ID or XML‑RPC

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description Bypass to the fix for CVE-2026-34916. Variants of such vectors have been also reported by phucrio and offsetmd. The fix can be bypassed either by sending a disallowed but otherwise valid plugin identifier as `type`, or using the `ox.setChannelTargeting` XML-RPC API method.
Weaknesses CWE-94
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Revive Adserver
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-26T12:27:43.548Z

Reserved: 2026-06-06T15:00:09.779Z

Link: CVE-2026-50741

cve-icon Vulnrichment

Updated: 2026-06-26T12:27:39.779Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')