Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Unrated

Remote Code Execution in Revive Adserver delivery limitations

IdentifiersCVE-2026-34916CWE-94

CVE-2026-34916 is a high-severity code injection vulnerability in Revive Adserver 6.0.6 and earlier. The flaw is caused by missing validation of user input when saving delivery limitations. A low-privileged user can abuse the logical parameter to inject malicious PHP code into the compiledlimitations field stored in the database. That injected PHP is later executed during banner delivery, resulting in server-side code execution within the context of the ad server. The issue stems from insufficient sanitization and validation of attacker-controlled input before it is persisted and subsequently interpreted as executable PHP.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a low-privileged authenticated user to achieve arbitrary PHP code execution on the Revive Adserver instance during banner delivery. Given the stated CVSS impacts and the nature of PHP execution on the server, this can lead to full compromise of the application, unauthorized access to sensitive advertising and user data, modification of application state and content, deployment of persistent backdoors, and disruption of service availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access for low-privileged users who can save or modify delivery limitations, reduce ad-operations and administrative permissions to the minimum necessary, and closely monitor for unauthorized changes to delivery limitation data and the compiledlimitations field. Additional temporary risk reduction includes limiting access to the management interface, auditing low-privileged accounts, and monitoring banner delivery behavior and server-side PHP execution for signs of injected logic. No complete workaround is provided in the supplied content.

Remediation

Patch, then assume compromise.

Upgrade Revive Adserver to version 6.0.7 or later, or another vendor release that includes the fix. The vendor indicates that input sanitisation was improved so the affected parameter is properly validated. Remediation should include deploying the patched version, verifying that delivery limitation handling no longer permits unsafe values in the logical parameter, and reviewing the compiledlimitations field and related banner-delivery logic for malicious entries that may have been inserted prior to patching.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Revive-AdserverRevive Adserverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
cvefeed high severityNews
Jun 26, 2026
CVE-2026-50741 - Nuxeo XML-RPC Bypass for CVE-2026-34916

A previously fixed vulnerability referenced as the issue whose remediation is bypassed by CVE-2026-50741.

Read more
cvefeed high severityNews
Jun 23, 2026
CVE-2026-34916 - Revive Adserver PHP Code Injection

A PHP code injection vulnerability in Revive Adserver 6.0.6 and earlier caused by insufficient validation of user input when saving delivery limitations, allowing a low-privileged user to inject and execute malicious PHP code during banner delivery.

Read more
revive adserverNews
Jun 3, 2026
Revive Adserver Security Advisory REVIVE SA-2026-002 - Revive Adserver

A remote code execution vulnerability in Revive Adserver that allows a low-privileged user to inject malicious PHP code via the logical parameter into compiledlimitations, leading to code execution during banner delivery.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-34916
NVD
nvd.nist.gov/vuln/detail/CVE-2026-34916
MITRE CWE · CWE-94
cwe.mitre.org