HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21663.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "6"
},
{
"last_affected": "6.0.4"
}
],
"source": "AFFECTED_FIELD"
}
],
"cna_assigner": "hackerone"
}