CVE-2026-44960 - Vulnerability Details

A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to the audit log details output.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Revive	Adserver

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Revive	Adserver

References

Link	Providers
https://hackerone.com/reports/3680090

History

Tue, 23 Jun 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title		Stored Cross‑Site Scripting in Revive Adserver Audit Log via Username Field

Tue, 23 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Revive Revive adserver
Vendors & Products		Revive Revive adserver

Tue, 23 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to the audit log details output.
Weaknesses		CWE-79
References		https://hackerone.com/reports/3680090
Metrics		cvssV3_0 `{'score': 0, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-06-23T16:14:38.124Z

Updated: 2026-06-23T17:46:02.076Z

Reserved: 2026-05-08T15:00:02.447Z

Link: CVE-2026-44960

Vulnrichment

Updated: 2026-06-23T17:45:53.576Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-23T22:00:09Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object