HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21664.json",
"cna_assigner": "hackerone",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "6"
},
{
"last_affected": "6.0.4"
}
],
"source": "AFFECTED_FIELD"
}
]
}