Format String Injection in Revive Adserver by Revive Adserver
CVE-2026-21640

2.7LOW

Key Information:

Vendor: Revive
Status: Revive Adserver
Vendor: CVE Published:; 20 January 2026

What is CVE-2026-21640?

A format string injection vulnerability has been identified in the settings of Revive Adserver. This flaw allows an attacker to utilize specific character combinations that can result in a fatal PHP error, consequently disabling the admin user console. As a result, administrators may be unable to access critical functionalities of the platform, leading to potential exploitation.

Affected Version(s)

Revive Adserver 6 <= 6.0.4

References

https://hackerone.com/reports/3445332

CVSS V3.0

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 20, 2026
Vulnerability Reserved
Jan 1, 2026

CVE-2026-21640 Data

JSON