These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-44960 is a stored XSS vulnerability that can be exploited by leveraging usernames as an attack vector. When an admin user views the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. The vulnerability has been addressed by adding proper escaping to the audit log details output. The CVE was publish [truncated]
CVE-2026-44959 is a high-severity vulnerability in Revive Adserver 6.0.6 and earlier versions. The issue arises from a missing validation of user input when saving delivery limitations, allowing a low-privileged user to inject malicious PHP code. This code would then be executed during banner delivery. The vulnerability has been assigned a CVSS score of 8.8 and is considered high severity. Input sanitizat [truncated]
CVE-2026-44956 is a stored XSS vulnerability in user log details. Low-privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system-generated emails, whose content is stored in the details field of the userlog table. An admin user viewing the email content through userlog-details.php would have any malicious JavaScript payload executed due to missing output [truncated]
CVE-2026-34917 is a medium-severity vulnerability affecting an unknown vendor's product. Low-privileged session IDs generated for the web admin console could be reused in the XML-RPC API, potentially allowing attackers to gain unauthorized access. The session context is now recorded along with other session data, preventing session IDs from being used interchangeably. This change aims to mitigate the vuln [truncated]
CVE-2026-34915 is a blind SQL injection vulnerability in Revive Adserver 6.0.6 and earlier versions. The issue arises from inadequate sanitization of user input in the zone-include.php script, specifically with the clientid parameter. This vulnerability allows a low-privileged user to perform blind SQL injection attacks. The vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity. To ad [truncated]
CVE-2026-34913 is a vulnerability in Revive Adserver 6.0.6 and earlier versions. The issue arises from a missing access control check when linking trackers to campaigns through the campaign-trackers.php script. This oversight could enable a low-privileged user to link their trackers to campaigns owned by other managers on the same instance, leading to inconsistent ownership relationships. To address this, [truncated]