{"api_version":"1","generated_at":"2026-06-26T13:37:51+00:00","cve":"CVE-2026-50745","urls":{"html":"https://cve.report/CVE-2026-50745","api":"https://cve.report/api/cve/CVE-2026-50745.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-50745","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-50745"},"summary":{"title":"CVE-2026-50745","description":"A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input to be reflected without escaping.","state":"PUBLISHED","assigner":"hackerone","published_at":"2026-06-26 02:16:53","updated_at":"2026-06-26 13:16:35"},"problem_types":["CWE-79","CWE-79 CWE-79 Cross-site Scripting (XSS) - Reflected"],"metrics":[{"version":"3.0","source":"support@hackerone.com","type":"Secondary","score":"4.7","severity":"MEDIUM","vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.0","source":"CNA","type":"DECLARED","score":"4.7","severity":"MEDIUM","vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"baseScore":4.7,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.0"}}],"references":[{"url":"https://hackerone.com/reports/3793243","name":"https://hackerone.com/reports/3793243","refsource":"support@hackerone.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-50745","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50745","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Revive","product":"Adserver","version":"affected 6.0.7 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Mahmoud Khaled (Kanon4)","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-50745","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-26T12:29:06.205421Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-26T12:29:14.728Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Adserver","vendor":"Revive","versions":[{"lessThanOrEqual":"6.0.7","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Mahmoud Khaled (Kanon4)"}],"descriptions":[{"lang":"en","value":"A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input to be reflected without escaping."}],"metrics":[{"cvssV3_0":{"baseScore":4.7,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Cross-site Scripting (XSS) - Reflected","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-26T01:11:14.310Z","orgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","shortName":"hackerone"},"references":[{"url":"https://hackerone.com/reports/3793243"}]}},"cveMetadata":{"assignerOrgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","assignerShortName":"hackerone","cveId":"CVE-2026-50745","datePublished":"2026-06-26T01:11:14.310Z","dateReserved":"2026-06-06T15:00:09.780Z","dateUpdated":"2026-06-26T12:29:14.728Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-26 02:16:53","lastModifiedDate":"2026-06-26 13:16:35","problem_types":["CWE-79","CWE-79 CWE-79 Cross-site Scripting (XSS) - Reflected"],"metrics":{"cvssMetricV30":[{"source":"support@hackerone.com","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.6,"impactScore":2.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-26T12:29:06.205421Z","id":"CVE-2026-50745","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"50745","Ordinal":"1","Title":"CVE-2026-50745","CVE":"CVE-2026-50745","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"50745","Ordinal":"1","NoteData":"A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input to be reflected without escaping.","Type":"Description","Title":"CVE-2026-50745"}]}}}